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ABSTRACT 


System  reliability  analysis  is  an  essential  element  is  the  design  process.  A 
reliability  study  should  proceed  from  system  inception  through  final  deployment.  As  the 
PANSAT  project  approaches  the  final  design  stage  and  begins  initial  flight  production, 
the  absence  of  any  significant  reliability  analysis  becomes  increasingly  troubling.  This 
thesis  initiates  the  program's  reliability  analysis  obligation  by  investigating  spacecraft 
failure  modes.  Typically  referenced  as  critical  failure  modes,  these  events  will  cause 
complete  and  permanent  system  failure.  A  reliability  analysis  tool,  called  Fault  Tree 
Analysis  (FT A),  is  used  to  conduct  a  systematic  review  of  current  hardware  design 
architecture  to  expose  potential  critical  failure  points  or  weak  links. 

The  analytical  result  is  a  Boolean  logic  tree  that  describes  critical  failure  events  and 
all  the  potential  causes.  This  causal  output  relationship  describes  each  component  failure 
(i.e.,  single  point  failures),  or  component  failure  combinations  (i.e.,  multi-point  failures), 
which  could  cause  the  undesirable  failure  event,  or  Top  Event.  The  fault  tree  will  provide 
design  engineers  and  management  personnel  with  an  effective  tool  and  reference  point 
from  which  to  implement  design  modifications  to  circumvent  potential  problems. 
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I.  INTRODUCTION 


A.  PANSAT  OVERVIEW 

The  Petite  Amateur  Navy  Satellite  (PANSAT)  is  a  small  satellite  being  designed, 
fabricated,  and  eventually  operated  by  faculty  and  students  at  the  Naval  Postgraduate 
School  (NPS).  Primarily  a  project  of  the  Space  Systems  Academic  Group  (SSAG),  it 
combines  the  efforts  and  expertise  of  staff  and  students  of  various  departments.  These 
include  the  Departments  of  Aeronautical  and  Astronautical  Engineering,  Electrical  and 
Computer  Engineering,  and  Computer  Science.  The  spacecraft  will  provide  amateur 
radio  enthusiasts  a  new  space  communication  medium  utilizing  spread  spectrum 
modulation  for  radio  packet  switching.  It  also  provides  a  platform  for  evaluating  the  use 
of  spread  spectrum  in  reducing  frequency  band  congestion. 

The  design,  development,  and  deployment  of  the  satellite  is  integrated  in  a 
coordinated  manner  by  the  SSAG  engineering  staff  and  master's  candidate  students  at 
NPS.  The  student  contributions  are  primarily  through  thesis,  class,  or  individual  projects 
as  well  as  directed  study  courses.  The  faculty  provides  the  necessary  expertise  and 
direction  to  assist  in  project  and  thesis  advisement  and  consultation. 

1.  Purpose 

The  primary  purpose  of  the  PANSAT  project  is  to  provide  a  practical  hands-on 
experience  for  NPS  students  in  the  Space  Systems  Operations  and  the  Space  Systems 
Engineering  curriculums.  Military  communication  applications  employ  spread  spectrum 
techniques  primarily  to  achieve  anti-jam  and  security  objectives.  PANSAT  provides  the 
officer  student  with  practical  hands-on  experience  for  future  applications  of  this 
technology. 

a.  Engineering 

The  engineering  experiences  provided  by  PANSAT  allow  students  of  various 
core  engineering  factions  the  opportunity  to  apply  basic  principles,  coupled  with  creative 
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thought  processes,  to  a  wide  variety  of  engineering  problems  inherent  to  the  design  and 
fabrication  of  a  spacecraft.  The  student  is  able  to  experience  the  spacecraft  development 
process  from  conceptual  design  through  fabrication,  testing,  launch  integration  and 
deployment  stages. 

h.  Operation 

Students  of  the  Space  Systems  Operation  curriculum  benefit  from  the 
opportunity  to  experience  a  wide  variety  of  aspects  of  space  system  acquisition  and 
operation  that  would  not  normally  he  made  available  in  an  academic  environment.  The 
PANSAT  program  provides  a  creative  medium  to  explore  new  and  exciting  concepts 
from  mission  planning,  requirements  definition,  and  design  reviews  through  spacecraft 
launch,  initialization,  and  mission  operations.  This  provides  a  valuable  background  to  the 
student  in  future  assignments  as  program  sponsors,  project  managers,  or  operational 
supervisors. 

2.  Mission  Overview 

The  mission  of  the  PANSAT  spacecraft  will  be  to  carry  a  communications  payload 
that  exploits  the  amateur  radio  community's  70  centimeter  band.  The  implementation  of  a 
communication  link  which  spreads  a  differentially  coded  binary  phase  shift  keyed 
(BPSK)  signal  utilizing  the  direct  sequence  spread  spectrum  (DSSS)  technique,  is  an 
element  of  the  PANSAT  design  which  makes  it  unique  from  other  spacecraft  that  employ 
radio  packet  switching  communications. 

a.  Concept  of  Operations 

Developed  as  a  small,  about  150  pounds,  spread  spectrum  communications 
satellite  for  officer  students  at  NPS  as  an  educational  project,  PANSAT  will  be  launched 
into  Low  Earth  Orbit  (LEO)  from  the  Space  Shuttle  via  the  Hitchhiker  program.  The 
capability  to  launch  the  spacecraft  from  a  refurbished  Minuteman  missile  is  under 
investigation  as  an  alternate  launch  platform. 
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The  exact  orbital  parameters  of  the  spacecraft  are  not  yet  known,  it  is  expected 
however  to  operate  in  a  circular  orbit  at  an  orbital  altitude  of  approximately  200  nautical 
miles,  with  an  inclination  of  between  28.5  and  51.6  degrees.  Amateur  radio  ground 
stations  will  be  able  to  access  PANSAT  to  utilize  its  capabilities  as  a  orbiting  e-mail 
server  providing  store  and  forward  packet  file  transfer  (Fig.  1)  between  terrestrial  users. 
Packet  switching,  utilizing  the  amateur  radio  community's  packet  switching  protocol 
(AX.25)  will  be  used  as  the  networking  protocol  between  the  ground  station  and  the 
spacecraft. 


Figure  1.  Store  and  Forward  Concept  [Ref.  1] 


The  PANSAT  design  objective  was  to  minimize  cost  and  complexity,  this  in 
turn  fostered  creativity  and  resourcefulness.  The  absence  of  Guidance  Navigation  and 
Control  (attitude  control).  Thermal  Control  (active),  and  Propulsion  subsystems  created 
unique  issues  to  be  addressed  by  the  design  engineers.  With  orbital  attitude  that  has  been 
commonly  referred  to  as  "tumbling",  the  spacecraft  employs  distinctive  antenna  design 
characteristics  to  help  ensure  the  communications  payload  will  be  consistently  in  contact 
with  visible  ground  stations. 

B.  THESIS  OBJECTIVE 

In  the  most  general  terms,  the  reliability  of  a  system  can  be  described  as  the 
probability  a  system  will  remain  operational  or  maintain  it's  ability  to  complete  its  design 
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mission  objective  for  a  given  period  of  time  under  given  environmental  conditions.  The 
applications  of  the  reliability  analysis  field  and  methods  used  to  evaluate  them  are 
extensive.  This  thesis  will  explore  the  application  of  one  such  method,  called  Fault  Tree 
Analysis  (FT A),  to  critically  evaluate  the  PANSAT  design. 

1.  Purpose 

Reliability  analysis  of  a  system  can  be  accomplished  utilizing  various  analysis 
methods.  A  particular  analytical  method  may  be  more  applicable  to  a  particular  design 
state  than  another  during  the  project's  life-cycle.  To  date  no  detailed  reliability  analysis 
has  been  conducted,  prefacing  an  unquestionable  need  to  perform  a  subjective  study.  The 
identification  of  potential  failure  modes  prior  to  the  critical  design  review,  and 
commencement  of  flight  hardware  production,  is  essential  to  ensure  fulfillment  of  the 
mission  life  requirement. 

2.  Concurrent  Engineering  Concept 

The  idea  of  concurrent  engineering,  or  the  practice  of  incorporating  various 
life-cycle  values  into  the  early  stages  of  design,  is  one  that  has  gained  an  increasingly 
popular  following,  particularly  in  the  climate  of  shrinking  fiscal  budgets.  The  process  of 
designing  for  reliability  is  an  element  of  the  process  that  is  receiving  a  great  deal  of 
attention.  Particularly  in  systems,  like  satellites,  where  system  repair  is  next  to 
impossible  once  the  system  is  placed  into  operation,  the  concern  for  a  reliable  system  by 
all  levels  of  management  is  at  the  forefront  of  the  design  process  (Fig.  2). 

Principally  an  organizational  and  managerial  challenge,  concurrent  engineering 
concepts  are  particularly  important  in  the  early  stages  of  program  development. 
Traditionally,  reliability  budgeting  begins  in  the  concept  phase  and  reliability  verification 
continues  throughout  the  project  development  cycle. 

A  cursory  study  of  the  project  design  may  lead  a  program  manager  or  design 
engineer  to  believe  the  system  is  very  robust  due  to  the  built  in  redundancy  of  the  design 
architecture.  A  detailed  study  may  reveal  inherent  weak  points  that  could  aggravate  the 
true  system  reliability. 
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3.  Scope  of  Thesis 

This  thesis  will  analyze  the  critical  hardware  failure  inodes  of  the  PANSAT 
hardware  architecture  by  utilizing  an  analysis  tool  called  Fault  Tree  Analysis  (FTA). 
Critical  failure  is  summarized  as  those  failures  which  lead  to  an  inoperable  and 
unrecoverable  failure  of  essential  mission  components  that  leave  the  system  inoperable. 
This  can  occur  at  any  time  within  the  systems  lifetime. 

Although  not  immediately  apparent,  a  reliability  study  for  a  project  which  is  as 
relatively  small  and  seemingly  simple  as  the  PANSAT  design,  can  quickly  become 
complex  and  increasingly  time  consuming. 


Figure  2.  Cost  or  System  Effectiveness  Assurance  Structure  [Ref.  2] 


a.  Problem  Statement 

A  detailed  reliability  study  of  the  PANSAT  project  has  not  been  conducted  to 
this  point,  so  this  thesis  will  be  a  first  cut  analysis  of  the  current  design  status.  The 
majority  of  the  critical  failure  analysis  will  focus  on  an  analysis  of  the  Electrical  Power 
Subsystem  (EPS),  with  a  minor  look  at  the  Digital  Control  Subsystem  (DCS)  and  the 
Communications  Subsystem  (COMM)  payload.  The  incomplete  design  status, 
particularly  low  level  design  considerations,  of  various  subsystems  (i.e.,  particular 
functional  and  component  design  as  well  as  component  identification)  precludes  a 


detailed  quantitative  reliability  analysis.  The  fault  tree  will  be  constructed  incorporating  a 
qualitative  analysis  of  the  hardware  design,  with  the  capability  to  conduct  subsequent 
quantitative  analysis  as  required.  The  goal  of  a  qualitative  review  will  be  to  help  identify 
weak  areas  of  the  design,  particularly  single  point  failures,  in  which  a  design  work  around 
could  easily  be  incorporated. 

b.  Research  Questions 

There  are  two  primary  questions  this  thesis  will  address  in  order  to  help 
minimize  the  potential  for  a  critical  failure. 

(1)  What  are  the  critical  failure  modes  of  the  PANS  AT  hardware  architecture? 

(2)  How  can  critical  failures  be  minimized  through  hardware  and  software 
design  modifications? 

C.  THESIS  STRUCTURE 

The  remaining  portions  of  this  thesis  will  adhere  to  the  following  composition. 

1.  Chapter  II:  PANSAT  BACKGROUND 

This  chapter  will  provide  the  reader  with  a  synopsis  of  the  hardware  and  software 
architecture  of  the  PANSAT  program.  This  will  provide  a  working  understanding  of  the 
system  design  in  it's  present  state.  A  review  of  the  subsystem  design,  particularly  the 
EPS,  will  be  beneficial  in  understanding  the  system  operation  and  the  magnitude  of  the 
analysis  required.  A  short  description  of  the  program  timeline  is  included  to  provide  the 
reader  an  understanding  of  the  program  life-cycle  and  the  unique  nature  of  a  program 
whose  primary  development  is  supported  by  student  involvement  that  is  continuously 
changing. 

2.  Chapter  III:  Reliability 

This  chapter  is  devoted  to  the  development  of  reliability  issues  involved  in 
conducting  a  design  analysis.  A  theoretical  basis  of  the  FTA  methodology  is  discussed 

including  its  application  to  real  world  issues.  There  are  numerous  software  packages 
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available  to  assist  a  reliability  engineer  in  the  analysis  of  a  system.  A  software  package, 
called  FaultrEASE,  employing  a  FT  A  program,  was  used  for  the  fault  tree  construction 
and  analysis  and  is  discussed  for  completeness. 

3.  Chapter  IV:  PANS  AT  Fault  Tree  Analysis 

A  detailed  exploration  of  the  fault  tree  constructed  for  the  PANS  AT  project  will  be 
investigated  in  this  chapter  to  answer  the  research  questions.  Detailed  analysis  of  the 
fault  tree  is  provided  to  explore  issues  of  potential  problems. 

4.  Chapter  V:  Summary 

This  chapter  will  summarize  the  reliability  issues  uncovered  during  the  analysis 
and  the  recommendations  made  for  design  modification.  Follow  on  reliability  analysis  is 
suggested  to  assist  in  management  decisions  and  further  student  research. 

5.  Appendix  A:  Electrical  Power  Subsystem  (EPS)  Fault  Tree  Analysis 

This  appendix  contains  EPS  block  diagrams  and  schematics  to  assist  the  reader  in 
understanding  the  system  configuration.  A  fault  tree  of  the  EPS  is  included  with  analysis 
information  summarized  in  tables  describing  the  failure  end  events  and  failure  event 
combinations  which  could  cause  a  critical  failure  of  the  EPS. 

6.  Appendix  B:  Communication  Fault  Tree  Fault  Tree  Analysis 

This  appendix  contains  a  block  diagram  of  the  radio  frequency  (RF)  subsystem  to 
assist  the  reader  in  understanding  the  system  configuration.  A  fault  tree  of  the  RF 
subsystem  is  included  with  analysis  information  summarized  in  tables  describing  the 
failure  end  events  and  failure  event  combinations  which  could  cause  a  critical  failure  of 
the  RF  subsystem. 

7.  Appendix  C:  Digital  Control  Subsystem  Fault  Tree  Analysis 

This  appendix  contains  a  block  diagram  of  the  digital  control  subsystem  (DCS)  to 
assist  the  reader  in  understanding  the  system  configuration.  A  fault  tree  of  the  DCS  is 
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included  with  analysis  information  summarized  in  tables  describing  the  failure  end  events 
and  failure  event  combinations  which  could  cause  a  critical  failure  of  the  DCS. 

8.  Appendix  D:  PANSAT  FAULT  TREE 

This  appendix  contains  the  fault  tree  constructed  using  the  FaultrEASE  software 
package.  All  the  analysis  results  listed  in  the  previous  appendices  were  derived  from  this 
fault  tree. 
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n.  PANSAT  BACKGROUND 


A.  DEVELOPMENT 

The  PANSAT  program  was  conceived  in  1989  as  an  interdisciplinary  educational 
opportunity  for  NPS  Space  Systems  Operations  and  Space  Systems  Engineering 
postgraduate  students.  Future  duty  assignments  of  students  in  these  cirriculum  will  be  in 
support  of  space  system  acquisition,  design,  and  operation. 

The  spacecraft  consist  of  four  major  subsystems;  Conmiunications  (COMM), 
Electrical  Power  Subsystem  (EPS),  Digital  Control  Subsystem  (DCS),  and  the  Structure 
subsystem.  Contrary  to  other  spacecraft  designs,  the  PANSAT  project  does  not  contain 
two  major  subsystems  found  on  most  spacecraft.  The  Guidance,  Navigation,  and  Control 
(GNC)  and  the  Propulsion  subsystems  have  been  eliminated  from  the  design  to  reduce 
complexity  and  cost.  Additionally  there  is  no  active  thermal  control  subsystem. 

B.  SYSTEM  ARCHITECTURE 

The  hardware  architecture  is  the  principle  focus  for  the  reliability  analysis,  with  a 
brief  description  of  the  envisioned  software  architecture  mentioned  for  completeness. 

1.  Hardware  Architecture 

a.  Structure 

The  PANSAT  structure  provides  the  housing  and  support  mechanisms  for  the 
other  spacecraft  (S/C)  systems.  Constituting  a  26  sided  polyhedron  in  which  18  of  the 
sides  are  square  and  the  remaining  eight  sides  are  triangular,  the  aluminum  frame 
provides  structural  support  for  the  internal  electronic  components  as  well  as  the  externally 
mounted  17  solar  panels  which  are  attached  to  the  square  sides  (Fig.  3).  The  one 
remaining  square  side  is  reserved  for  the  launch  vehicle  interface  (LVI).  A  design 
proposal  is  being  studied  for  the  utility  of  mounting  a  smaller  solar  panel  within  the  void 
region  of  the  LVI.  If  the  additional  solar  panel  concept  is  accepted,  this  gallium  arsenide 
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panel  will  provide  additional  power  to  the  power  system  that  is  operating  on  a  very  tight 
power  budget. 


Figure  3.  PANSAT  External  Structure  [Ref.  1] 


The  approximately  19  inch  diameter  polyhedron  was  chosen  to  allow  the 
mounting  of  the  solar  panels  on  the  external  skin  of  the  S/C,  allowing  solar  energy 
conversion  in  any  orientation  of  the  spacecraft  and  to  minimize  the  range  of  values  of 
solar  flux  area.  The  upper  triangular  sections  of  the  external  structure  support  the  four 
dipole  antennas,  that  are  mounted  in  a  tangential  turnstile  configuration. 

Internal  equipment  mounting  support  (Fig.  4)  is  provided  by  two  equipment 
plates  (upper  and  lower)  with  each  major  subsystem  component  housed  within  an 
equipment  box. 


Figure  4.  PANSAT  Internal  Structure  [Ref.  1] 
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b.  Electrical  Power  Subsystem  (EPS) 

The  electronic  subsystems  are  functionally  linked  as  depicted  in  the  PANS  AT 
functional  block  diagram  (Fig.  5). 


Figure  5.  PANSAT  Functional  Block  Diagram 


Consisting  of  two  major  functional  divisions,  logic  control  and  power 
distribution,  the  EPS  is  responsible  for  generating  and  disseminating  all  electrical  power 
used  throughout  the  spacecraft.  The  EPS  functional  block  diagram  is  shown  in  (Fig.  6). 

Logic  control  of  the  EPS  provides  the  necessary  internal  command  and  control 
interface  with  the  digital  control  subsystem  (DCS)  for  the  distribution  of  power  within  the 
S/C.  It  also  retains  the  capability  to  reinitialize  the  S/C  in  the  event  of  a  DCS  failure. 

The  reinitializing  component  of  the  EPS  architecture  is  called  the  watchdog  timer 
(WDT).  The  WDT  is  nothing  more  than  a  timing  circuit,  which  is  periodically  reset  by  a 
signal  from  the  DCS.  This  signal  provides  the  WDT  with  the  operational  status  of  the 
DCS.  If  the  WDT  has  not  been  reset  after  a  given  period  of  time,  then  the  WDT  will 
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assume  the  DCS  has  failed  and  cause  power  to  be  applied  to  the  redundant  DCS.  This 
will  in  turn  cause  the  S/C  to  begin  initialization  procedures.  The  WDT  (Fig.  A.3)  does 
this  operation  by  causing  the  D  flip-flop,  U27:A,  to  change  state  which  triggers  a  signal  to 
close  the  respective  switch  (Fig.  A.1  and  A.5),  either  S7  or  S8,  which  applies  power  to 
the  redundant  DCS  and  commences  initialization  procedures. 

The  remainder  of  the  EPS  logic  board  provides  an  interface  with  the  peripheral 
control  bus  (PCB)  that  allows  the  PCB  to  control  EPS  status  measurements.  The 
following  measurements  go  directly  to  an  analog  input  in  the  DCS: 

(1)  Battery  cell  voltage  monitoring 

(2)  Battery  current  monitoring 

(3)  Solar  panel  current  monitoring 

(4)  Total  bus  current 

(5)  Raw  bus  voltage 

(6)  Power  switch  control 

(7)  WDT  reset 

Primary  electrical  power  is  supplied  by  17  solar  panels  (256  cm^  per  panel).  The 
panels  are  connected  in  parallel  to  the  EPS  raw  bus.  Each  panel  is  double  wired  and 
fused  on  the  power  line  at  both  the  solar  panel  and  the  EPS  bus  connection,  to  increase 
the  power  source  reliability.  Blocking  diodes  from  each  panel  prevent  reverse  current 
flow  through  a  low  power  panel  which  would  act  as  an  energy  sink  and  may  cause  panel 
damage.  Each  panel  consists  of  one  string  containing  32  series  connected  silicon  (Si) 
cells,  each  cell  being  2  cm  by  4  cm  in  size. 

During  orbit  eclipse  periods,  power  is  supplied  from  the  secondary  source  of 

power,  one  of  the  two  Nickel  Cadmium  (Ni-Cd)  batteries,  to  maintain  the  bus  voltage  at 
12  ±3  Vdc.  Each  of  the  batteries  contain  10  type  D  cells  connected  in  series.  Space 
qualified  batteries  will  not  be  employed  due  to  their  prohibitive  cost.  The  use  of 
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terrestrial  batteries  will  be  of  beneficial  experimental  value  for  a  S/C  deployed  in  low 
earth  orbit.  Extensive  battery  testing  is  in  progress  to  determine  operational 
ch^lracteristics  and  parameters. 


Figure  6.  PANSAT  EPS  Functional  Block  Diagram 


Power  from  the  energy  sources  is  isolated  from  distribution  to  the  rest  of  the  S/C 
by  the  use  of  mechanical  launch  switches.  These  switches,  closed  upon  ejection  from  the 
shuttle,  are  a  safety  feature  required  by  NASA  to  prevent  accidental  radiation  of  energy 
by  the  S/C  until  after  it  has  been  deployed  from  the  shuttle  cargo  bay.  Two  sets  of 
switches  ,  connected  in  parallel,  are  employed  to  increase  switch  operation  (closure) 
reliability. 

Raw  bus  power  (9  to  15  Vdc)  to  the  various  subsystems  is  controlled  by 
electronic  switching  circuits,  S5  through  S15,  to  provide  power  to  the  DCS,  Mass  Storage 
(MASS),  radio  frequency  (RF),  Temperature  Multiplexing  (TMUX),  and  antenna 
deployment  circuits.  Each  switch,  with  the  exception  of  the  RF,  is  fused  to  prevent  a 
circuit  failure  in  one  switch  or  subsystem  from  being  reflected  throughout  the  EPS 
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distribution  and  cause  a  catastrophic  failure.  The  RF  switch  is  not  fused,  since  the  RF 
system  contains  some  level  of  redundancy.  A  catastrophic  failure  in  the  RF  subsystem 
will  cause  a  critical  failure  regardless,  and  it  is  not  desirable  to  deploy  a  system  where  one 
faulty  fuse  could  cause  a  critical  failure  of  the  system.  Each  switch,  with  the  exception  of 
the  DCS  power  switches,  is  controlled  by  a  signal  from  the  DCS  to  the  EPS  via  the  PCB. 
The  DCS  power  switches,  as  previously  mentioned,  are  controlled  internal  to  the  EPS  by 
the  WDT. 

c.  Thermal  Control 

The  PANSAT  design  is  unique  in  that  it  possesses  no  active  thermal  control 
devices.  Preliminary  thermal  analysis  have  concluded  that  the  passive  thermal  design 
system  will  maintain  the  components  within  their  required  limits.  Various  temperature 
sensors  are  mounted  throughout  the  S/C  to  provide  warnings  and  status  and  are  included 
as  part  of  the  telemetry  data.  Only  the  battery  temperature  sensors  will  perform  any 
active  role,  being  used  by  the  battery  monitor  program  to  determine  and  monitor  battery 
state  of  charge,  particularly  during  charging  operations.  The  various  analog  temperature 
data  points  are  multiplexed  with  the  TMUX  circuitry  and  passed  to  the  DCS  as  analog 
signals.  Each  analog  signal  is  converted  to  digital  format  via  analog  to  digital  (A/D) 
converters  within  the  DCS  and  stored  in  the  mass  storage  devices  as  historical  telemetry 
data. 


d.  Digital  Control  Subsystem  (DCS) 

The  DCS  coordinates  the  operations  of  the  EPS,  RF  communication  suite,  and 
other  mission  essential  operations  like  health  and  welfare  monitoring.  The  DCS  consists 
of  three  principal  modules:  system  controllers  (SC),  analog  mulitplexers  (MUX),  and 
mass  storage  (MASS)  devices.  Redundant  modules,  designated  A  and  B,  are  provided  for 
each  function. 

The  compact  design  of  the  PANSAT  structure  necessitated  a  minimum  quantity 
of  interconnecting  cabling  within  the  S/C.  The  PCB  provides  a  medium  to  distribute 
power  to  the  various  subsystems  as  well  as  a  command  and  data  signaling  bus  for  the 
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DCS  to  control  and  monitor  the  S/C.  Communication  data,  temperature  monitoring  data, 
and  power  sensing  data  are  also  passed  on  the  PCB  making  it  a  vital  link  for  all 
operations.  This  fact  alone  makes  it  a  extremely  important  component,  especially  from  a 
reliability  viewpoint,  since  one  wire  break  can  cause  a  critical  failure  of  the  system. 

The  SC  is  the  hub  from  which  all  S/C  operations  are  controlled.  There  are  two 
printed  circuit  boards  which  comprise  the  SC  module  (Fig.  7),  the  DCS  digital  board  and 
the  modem  board  which  is  commonly  referred  to  as  the  PARAMAX  module.  Each  DCS 
digital  board  contains: 

1.  Microprocessor  (|J,P) 

2.  A/D  converters  (for  multiplexed  temperature,  current,  voltage  measurements) 

3.  PCB  interface 

4.  Error  detection  and  correction  (ED AC)  for  ^IP  random  access  memory  (RAM) 

5.  Serial  communications  controller  (SCC)  for  the  modem 

6.  Programmable  read  only  memory  (PROM) 

The  modem  board  is  responsible  for  interfacing  the  digital  data  stream  (i.e., 
message  traffic)  between  the  |4P  (via  the  SCC)  and  the  RF  communication  suite.  The 
modulated  intermediate  frequency  (IF)  signal  at  70  MHz  is  an  input  (output)  from  (to)  the 
RF  subsystem.  The  modem  conducts  A/D  conversion  (as  required)  and  demodulation 
(and  modulation)  of  the  message.  The  signal  is  spread  (and  despread)  using  a  pseudo 
noise  (PN)  code  generator. 

Analog  multiplexers  on  the  DCS  provide  A/D  conversion  of  temperature  sensor 
data  for  telemetry  monitoring  and  archiving  in  the  MASS  devices.  This  data  is  used  for 
historical  health  and  welfare  monitoring  by  the  NPS  ground  station  and  is  included  in  the 
down-linked  telemetry  message. 

There  are  two  redundant  mass  storage  devices  (MASS  A  and  MASS  B),  each  of 
which  contain  4  megabytes  of  volatile  static  RAM  as  well  as  512  kilobytes  of  non- 
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volatile  flash  memory.  The  non-volatile  memory  is  not  space  qualified  (non-radiation 
hardened)  and  is  being  flown  on  an  experimental  basis.  The  flash  memory  will  not  be 
relied  upon  to  maintain  any  required  software  programs  or  message  traffic,  but  will  be 
used  on  an  experimental  basis  to  build  a  data  base  for  future  exploitation. 


Figure  7.  PANSAT  System  Controller  Block  Diagram 


e.  Communication  (COMM)  Subsystem 

The  PANSAT  eommunication  subsystem  (Fig.  8)  is  the  only  spacecraft  payload . 
Predominantly  referenced  as  the  RF  subsystem,  it  will  operate  in  the  amateur  radio 
community  70  centimeter  wavelength  band  providing  digital  radio  packet  switching 
communication  using  direct  spread  spectrum  techniques.  The  RF  section  is  located  on 
the  lower  equipment  plate.  It  includes  frequency  conversion,  low  noise  amplification 
(LNA),  high  power  amplification  (HP A),  and  raw  bus  power  conditioning. 
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(1)  Reception.  The  received  signal  from  the  antenna  system  is  routed  to  the 
receiver  section  by  the  transmit/receive  switch  (T/R)  shown  in  fig.  8  as  S 1.  The  signal  is 
then  routed  to  one  of  the  two  low  noise  amplifier  (LNA)  circuits  by  the  signal  routing 
switch  (S2).  Frequency  down  shift  to  the  70  MHz  intermediate  frequency  (IF)  is 
performed  by  one  of  two  signal  mixers.  The  IF  signal,  still  in  DSSS  format,  is  routed  to 
the  DCS  (A  or  B)  modem  board  where  it  is  processed. 


(2)  Transmission.  A  DSSS  signal  is  routed  from  one  of  the  DCS  modem 
boards  at  IF  to  the  common  RF  transmit  switch  (S9).  The  signal  is  routed  to  a  mixer 
where  it  is  shifted  to  transmit  frequency  of  366.5  MHz.  Amplification  of  the  signal  is 
conducted  by  one  of  two  high  power  amplifiers  (HP A).  Each  HPA  is  composed  of  two 
cascaded  amplifiers.  The  transmit  signal  is  then  routed  to  the  antenna  via  the  T/R  switch. 

The  antenna  element  consist  of  4  dipole  antennas  in  a  tangential  turnstile 
configuration  mounted  on  the  bottom  half  of  the  S/C  (Fig.  3).  The  feed  system  connects 
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the  four  antennas  and  performs  impedance  matching  between  the  antenna  and  the  coaxial 
cable  connecting  the  feed  system  to  the  band  pass  filter. 

Functional  redundancy  is  built  within  the  RF  subsystem,  with  the  exception  of  9 
DCS  commanded  switches  or  relays  used  to  route  the  receive  and  transmit  signals. 

2.  Software  Architecture 

The  computer  system  architecture  employed  by  the  PANS  AT  design  may  best  be 
described  as  a  model  which  incorporates  both  the  software  and  hardware  layers.  Software 
tasks,  which  provide  the  user  services,  are  placed  on  top  the  architectural  hierarchy  with 
protocol  handlers  (i.e.,  the  operating  system)  and  hardware  stmcture  as  lower  layers. 
Figure  9  demonstrates  the  hierarchy  of  the  hardware  communications  equipment, 
operating  system,  protocol  software  and  other  software  tasks  for  the  S/C. 


Figure  9.  PANSAT  Computer  Architecture  [Ref.  3] 


a.  Operating  system  structure 

The  PANSAT  architecture  will  take  advantage  of  two  proven  commercial 
software  products,  the  Space  Craft  Operating  System  (SCOS)  and  a  companion  product 
called  BekTek  AX.25  (BAX)  which  implements  the  link  layer  protocol.  The  SCOS  will 
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provide  a  standard  application  program  interface  to  assist  in  the  development  of 
multi-tasking  applications.  These  services  include  a  real-time  multi-tasking  kernel, 
message  passing  facilities  for  inter-task  communications.  Direct  Memory  Access  (DMA), 
and  intermpt  driven  Input/Output  (I/O)  drivers. 

Post  launch  modification  of  the  software  structure  is  a  design  requirement  that 
will  considerably  enhance  the  functionality  and  reliability  of  the  software  environment. 
The  experimental  nature  of  the  S/C  does  not  permit  an  encompassing  forecast  of  the  S/C 
operating  scenarios  during  the  design  process. 

The  boot  process  will  consist  of  the  minimum  actions  required  to  initialize  the 
necessary  hardware  so  that  the  S/C  is  capable  of  communicating  with  the  ground  station. 
This  will  allow  the  capability  to  upload  any  software  component,  including  the  operating 
system. 


b.  Link  layered  protocol 

Amateur  packet  radio  is  a  communication  technique  that  allows  high  speed  and 
low  error  rate  digital  data  exchange.  A  data  link  protocol  was  developed  by  the  amateur 
radio  community  that  is  compatible  with  the  seven  layer  Open  Systems  Interconnection 
(OSI)  reference  model.  This  protocol,  called  AX.25,  was  adopted  by  the  amateur  radio 
community  as  a  offshoot  of  the  International  Telegraph  and  Telephone  Consultative 
Committee  (CCITT)  X.25  data  link  layer  protocol,  a  standard  for  packet  switching. 

The  data  link  layer,  considered  the  second  level  protocol,  provides  the 
communication  between  physical  layer  (modem)  with  the  network  layer.  For  this  design, 
this  is  basically  the  application  programs.  This  is  accomplished  by  receiving  streams  of 
bits  from  the  physical  layer  and  applying  a  structure,  or  frame,  to  those  streams  (Fig.  10). 
Each  frame  is  composed  of  several  smaller  groups  of  data,  called  fields,  which  are  used 
for  various  overhead  data  management  and  the  raw  data  information.  The  AX.25 
protocol  uses  a  technique  called  bit  stuffing  which  is  used  to  maintain  a  unique  bit  pattern 
sequencing  within  a  frame  and  eliminate  the  possibility  of  flags  appearing  within  the 
contents  of  a  frame.  Error  detection  of  each  frame,  or  cyclic  redundancy  checks  (CRC), 
helps  detect  any  corruption  of  data  by  the  physical  layer. 
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Figure  10.  AX.25  Information  Frame  [Ref.  3] 


The  AX.25  frame  management  scheme  allows  the  information  to  be  sent  in 
packets,  with  up  to  eight  outstanding  frames  in  a  relay  sequence  [Ref.  3].  Burst 
transmissions  of  these  frames  will  allow  multiple  users  in  the  same  geographical  area  to 
access  the  S/C  on  a  single  pass.  There  are  other  small  satellites  deployed  which  possess 
this  capability  for  packet  switching,  but  none  that  have  attempted  to  do  it  utilizing  spread 
spectrum  modulation  techniques. 

c.  Spacecraft  Commanding 

Commanding  of  the  S/C  is  required  for  software  program  uploads  and  other 
subsystem  command  functions.  These  command  functions  can  include  routine  operations 
such  as  battery  charging,  battery  reconditioning,  and  transmitter  power  level 
modifications.  Commanding  may  also  be  necessary  to  reconfigure  the  system  due  to  a 
failure,  abnormal  operation,  or  impending  failure  conditions. 

3.  Ground  Station 

A  ground  station  is  required  to  conduct  S/C  management,  maintenance  control,  and 
data  archiving.  The  ground  station,  located  at  NFS  and  administered  by  the  Space 
Systems  Academic  Group  (SSAG),  will  be  the  focal  point  for  S/C  commanding,  software 
system  uploads,  health  and  welfare  data  collection,  archiving,  and  will  provide  an 
external  interface  with  the  amateur  radio  community.  This  external  interface,  as  presently 
planned,  will  be  via  the  Internet  with  a  dedicated  world  wide  web  (www)  home  page  for 
the  PANSAT  program.  This  will  provide  the  user  not  only  the  capability  to  obtain 
necessary  access  data  such  as  orbital  ephimerus,  transmission  frequency,  S/C  availability, 
and  the  PN  code  for  spread  spectrum  operations,  but  also  interesting  program  data  such  as 
user  statistics  and  archived  telemetry  data. 
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C.  PROGRAM  LIFE-CYCLE 

The  PANSAT  project  has  evolved  from  conception  in  1989  to  it's  present  design 
state  .  As  depicted  in  Fig.  1 1,  a  subsystem  design  freeze  in  late  1995  will  be  made  to 
support  a  STS-86  Atlantis  launch  in  late  1997. 


PANSAT  SCHEDULE 


Figure  11.  PANSAT  Design  Life-cycle 


1.  Mission  Duration 

The  present  launch  scenario  from  the  shuttle,  would  give  the  S/C  an  orbit  life  of 
approximately  two  years  before  it  decays  into  the  earth's  atmosphere.  Other  launch 
options,  including  various  shuttle  orbits,  are  being  investigated  as  possible  launch 
scenarios.  Regardless  of  the  launch  scenario,  a  two  year  mean  mission  duration 
requirement  is  maintained  for  the  S/C  hardware  architecture. 

2.  Launch  Options 

a.  Hitchhiker  Program 

The  PANSAT  S/C  can  be  launched  from  a  Shuttle  Get  Away  Special  (GAS) 
canister  as  a  payload  of  the  hitchhiker  program.  The  S/C  is  mounted  in  a  GAS  canister  in 
the  shuttle's  cargo  bay  by  a  marman  clamp  from  an  ejection  mechanism  to  the  S/C  LVI. 
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No  other  interface  between  the  S/C  and  the  shuttle  is  required.  All  commanding  and 
control  of  the  S/C  will  be  made  by  the  NPS  ground  station  once  the  S/C  is  deployed  and 
initialized. 

b.  Minuteman 

Launch  from  a  refurbished  minuteman  launch  vehicle  is  a  recent  option  available 
for  spacecraft  desiring  a  LEO.  Capable  of  placing  PANSAT  in  a  much  higher  orbit  and 
inclination,  it  radically  modifies  the  orbital  and  mission  options.  Able  to  place  the  S/C  in 
sun-synchronous  orbit,  it  could  modify  the  deployment  requirements  of  a  power 
conscious  design  such  as  PANSAT  or  a  follow-on  project. 
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in.  RELIABILITY 


A.  RELIABILITY  ANALYSIS  BACKGROUND 

The  political  climate  in  today's  marketplace,  both  government  and  industrial,  does 
not  afford  the  decision  maker  the  luxury  of  balloon  budgets  and  long  production  lead 
times.  Social,  political,  and  economic  constraints  dictate  the  exploitation  of  alternative 
methods  to  maximize  the  efficiency  and  effectiveness  of  every  system  produced.  The 
goal  of  reliability  analysis  thus  becomes  a  technique  to  measure  and  enhance  the  systems 
reliability  at  minimum  cost.  This  will  permit  program  managers  and  system  designers  to 
deploy  the  most  cost  effective  system. 

1.  Stages  of  Systems  Analysis 

There  are  two  avenues  of  thought  process  which  encompass  system  reliability 
analysis.  These  processes  are  inductive  and  deductive  reasoning  [Ref.  4].  The  two 
processes  may  be  unique  to  a  particular  analysis  method  or  stage  in  the  analysis 
procedure. 

a.  Inductive 

During  the  inductive  stage,  information  is  researched,  gathered,  and  organized  to 
conceptualize  the  systems  definition,  functional  description,  and  determination  of  the 
critical  components.  This  process  helps  to  answer  the  question  "What  can  happen  to  the 
system  as  a  result  of  a  component  failure  or  human  error?". 

b.  Deductive 

The  deductive  analysis  of  a  system  design  helps  answer  the  question  "How  can 
the  system  fail?".  A  logic  tree  is  often  the  best  device  for  deducing  how  a  major  system 
failure  event  could  occur.  Application  of  such  a  method  requires  an  in-depth 
understanding  of  how  the  system  operates  within  the  operational  environment.  Many 
methods  of  analysis  are  available  for  performing  the  analysis,  such  as  fault  tree  analysis. 
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decomposition,  circuit  stress  analysis,  or  the  state  space  approach.  Each  application  may 
be  more  suitable  at  various  stages  of  the  program  life-cycle.  Fault  tree  analysis  (FT A) 
was  chosen  for  PANSAT  hardware  design  analysis  due  to  the  applicability  of  the  process 
to  the  design  status.  The  use  of  FTA  can  be  very  beneficial  as  a  design  tool  to  identify 
potential  flaws  in  a  system  design  and  help  eliminate  costly  design  changes  and  retrofits. 
Equally  valuable  as  a  diagnostic  tool,  it  can  predict  the  mostly  likely  causes  of  a  system 
failure. 


2.  Phased  Mission  Profiles 

The  various  mission  profiles  of  spacecraft  (S/C)  operation  have  distinct  effects  on 
system  reliability.  A  mission  phase  is  defined  as  a  period  of  time  in  which  the  functional 
organization  of  the  system  is  constant.  The  system  must  accomplish  a  specific  task,  or  set 
of  tasks,  during  each  particular  phase.  Detailed  analysis  of  a  system  must  be 
accomplished  independently  for  each  phase  of  the  mission  life-cycle. 

Due  to  the  simplistic  operational  profile  of  the  PANSAT  S/C,  due  largely  to  the 
absence  of  any  attitude  control  or  orbital  plane  change  requirements,  the  life-cycle 
mission  can  be  reduced  into  two  basic  mission  phases,  launch/initialization  and 
operations. 

a.  Launch  and  Initialization 

This  phase  begins  immediately  upon  deployment  of  the  S/C  from  the  GAS 
canister.  During  this  phase  the  S/C  powers  up  subsequent  to  a  successful  deployment, 
and  when  in  "daylight"  (design  analysis  assumes  dead  batteries  upon  launch)  conducts 
hardware  and  basic  operating  system  initialization  procedures  which  include: 

(1)  Hardware  diagnostics  which  test  for  failure  conditions  and  configure  the 
S/C  accordingly.  Diagnostic  procedures  are  continuously  performed  if  the  S/C  has  failed 
to  acquire  communications  with  the  NPS  ground  station. 

(2)  A  basic  operating  system  is  loaded  from  onboard  ROM  storage.  This 
system  contains  the  basic  command  list  for  the  higher  level  operating  system  .  The  higher 
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level  operating  system  and  application  software  is  uploaded  from  the  NPS  ground  station 
once  the  communication  link  has  been  established  and  the  S/C  is  in  a  stable 
configuration. 

(3)  It  is  anticipated  that  both  onboard  storage  batteries  will  be  depleted  upon 
ejection  from  the  shuttle.  An  initialization  procedure  will  require  at  least  one  of  the 
batteries  to  be  charged  to  an  acceptable  level  prior  to  any  interaction  of  the  S/C  with  a 
ground  station. 

(4)  The  four  dipole  antennas  are  tied  back  in  a  stowed  condition  while  the  S/C 
is  in  the  GAS  canister.  Upon  ejection  from  the  canister  the  antennas  will  be  deployed  by 
burning  the  nylon  restraints  with  heaters  powered  by  the  solar  arrays. 

(5)  Link  closure  with  the  NPS  ground  station  is  the  final  objective  for  the 
initialization  segment.  If  satisfactory  conditions  are  present,  the  high  level  operating 
system  and  application  software  will  be  up  loaded  to  the  S/C. 

The  launch  and  initialization  phase  could  last  several  days  before  the  link  with 
NPS  has  been  established.  Following  software  uploads  the  S/C  will  undergo  a  testing 
period. 


b.  Operations 

This  phase  is  the  normal  operating  mode  of  the  S/C.  The  S/C  enters  this  phase 
once  the  preceding  phase  is  completed  satisfactorily.  The  analysis  of  this  thesis  will 
concentrate  on  this  phase,  assuming  initialization  phase  has  occurred  without  incident. 

B.  FAULT  TREE  ANALYSIS  DESCRIPTION 

It  is  beneficial  to  understand  the  background  of  FT  A  to  gain  a  better  appreciation  of 
the  basis,  application,  and  limitations  of  the  method.  As  a  visual  tool  it  is  useful  in 
communicating  and  supporting  decisions  based  upon  the  analysis,  both  for  the  design 
engineer  and  the  management  decision  maker.  Fault  tree  analysis  also  provides  a 
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convenient  and  efficient  format  that  is  helpful  for  both  qualitative  and  quantitative 
evaluation  [Ref.  4]. 

1.  Historical  Background 

Conceived  by  H.  A.  Watson  of  the  Bell  Telephone  Laboratories  in  1961  to  evaluate 
the  safety  of  the  Minuteman  ICBM  launch  control  system,  the  method  has  evolved  into 
one  of  the  most  powerful  analytical  tools  used  to  evaluate  system  safety  [Ref.  5].  As  the 
method  has  developed,  its  application  to  solving  real  world  analysis  problems  has  also 
expanded.  Once  a  tedious  procedure  requiring  large  analytical  teams,  it  can  now  be 
performed  by  a  single  reliability  analyst  using  powerful  reliability  software  tools.  The 
application  of  FTA  has  spread  from  humble  beginnings  in  the  aerospace  industry  to  vast 
commercial  applications,  including  its  use  as  the  principal  method  for  system  safety 
analysis  (hazard  analysis)  in  the  nuclear  power  industry. 

2.  Fault  Tree  Analysis  Utility 

Events  or  situations  requiring  the  application  of  FTA  are  typically  identified  by 
inductive  analysis  or  system  analyst  intuition.  Typically  the  events  are  the  result  of  some 
subsystem  functional  failure.  The  method  is  unusually  versatile  in  that  it  permits 
sensitivity  analysis,  analysis  qualification,  analysis  quantification,  and  evaluation  of 
alternative  designs  for  potential  tradeoffs.  The  FTA  method  is  unique  in  that  it  also  can 
be  used  to  create  a  success  tree. 

a.  Advantages 

The  FTA  method  has  four  major  advantages  over  other  forms  of  systems  critical 
failure  analysis  [Ref.  5]. 

(1)  Directs  the  analyst  deductively  to  accident  related  events.  The  deductive 
approach  to  describing  how  a  system  could  fail,  often  referred  to  as  the  top-down 
approach,  will  uncover  all  failures  or  combinations  thereof  which  could  cause  the 
undesired  event.  This  kind  of  approach  lends  itself  to  better  organization  and  control  than 
other  methods  based  on  a  bottom-up  approach. 
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(2)  Provides  depiction  of  system  functions  that  lead  to  undesired, outcomes. 
The  graphical  representation  of  the  fault  tree  provides  the  decision  maker  with  a  clear  and 
concise  understanding  of  the  inter-relationship  of  failure  events. 

(3)  Provides  options  for  both  qualitative  and  quantitative  analysis. 

Quantitative  analysis  is  desirable  if  solid  reliability  data  is  available  for  the  tree's  end 
events.  Quantification  permits  the  measurement  of  the  likelihood  of  occurrence  of  the  top 
event,  node,  or  subsystem  within  the  tree.  Probabilistic  measures  of  importance  (i.e., 
reliability  importance)  can  be  obtained  and  an  objective  measure  of  the  risk  can  be 
ascertained  utilizing  this  approach. 

Early  in  the  development  cycle  reliability  data  may  not  be  available  due  to 
either  insufficient  reliability  data  on  the  components  or  the  maturity  of  the  design. 
Qualitative  analysis,  however,  can  provide  the  failure  event  sets  and  measures  of  the 
importance  of  the  individual  end  events  in  the  causation  process.  Qualitative  analysis  is 
more  commonly  used  because  it  does  not  require  precise  failure  rates  for  the  end  events. 

It  results  in  sets  of  events  that  cause  the  top  event  and  a  ranking  of  these  events  for  their 
importance  in  causing  the  top  event.  This  relationship  is  known  as  the  systems  structural 
importance. 

(4)  Provides  analyst  with  insight  into  system  behavior.  The  process  of  FT  A  is 
so  detailed  in  its  logical  relationships,  that  it  forces  the  analyst  to  understand  the  system 
beyond  the  level  enjoyed  by  even  some  subsystem  design  engineers  or  system  managers. 

b.  Disadvantages 

The  significant  shortcomings  of  FT  A,  that  may  be  of  any  consequence,  relate  to 
the  process  of  synthesizing  a  fault  tree.  Often  time  consuming  and  overwhelming  in 
detail,  even  for  designs  as  simple  as  PANSAT,  can  require  considerable  effort  to  embrace 
a  comprehensive  study  of  all  the  common  cause  failures.  Failure  mode  oversight  and 
omission  may  be  one  of  the  major  drawbacks  to  FT  A,  but  this  is  true  for  any  analysis 
methodology. 
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Modeling  of  the  fault  tree  may  be  difficult  when  attempting  to  describe  the 
failure  of  system  components  that  can  operate  in  a  degraded  mode.  The  Boolean  logic 
structure  of  the  fault  tree  assumes  a  component  is  either  working  or  has  failed.  This  fact 
limits  FTA  process  to  analyzing  the  system  for  critical  failures  only. 

Despite  its  drawbacks,  as  systems  become  increasingly  more  complex,  the 
deductive  and  systematic  approach  used  by  FTA  becomes  increasingly  beneficial.  The 
increased  availability  of  low  cost  software  packages  has  been  an  overwhelming  aid  in 
constructing  and  analyzing  fault  trees,  making  the  effort  not  only  beneficial  but  time  and 
cost  efficient  as  well. 

c.  Assumptions 

Similar  to  all  forms  of  analysis  methods,  FTA  is  restricted  to  the  domain 
constraints  for  which  it  is  valid.  The  following  assumptions  were  made  to  assist  in  the 
synthesis  of  the  fault  tree. 

(1)  The  composition  of  fault  tree  assumes  components  are  capable  of  only 
two  states  of  performance,  either  functioning  or  failed.  The  probability  the  component 
is  functioning  at  some  time  t  may  be  characterized  by  some  statistical  distribution.  The 
exponential  distribution  is  often  chosen  for  components  exhibiting  constant,  or  nearly 
constant,  failure  rates.  As  with  the  components,  the  system  is  dependent  upon  the 
performance  of  it's  components  and  is  capable  of  only  obtaining  two  states  of 
performance,  functioning  or  failed. 

(2)  Each  of  the  systems  components  is  assumed  to  have  statistically 
independent  lives.  There  is  no  ability  to  repair  or  replace  any  component,  and  each 
embraces  a  finite  lifetime. 

(3)  The  S/C  physical  structure  is  assumed  to  remain  intact  for  the  duration  of 
its  mission.  Although  it  will  undergo  stress  and  strains,  particularly  during  launch,  it  is 
assumed  that  it  will  never  operate  outside  it's  design  envelope.  No  structural  component 
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will  experience  strains  greater  than  the  elastic  limit  nor  fatigue  failure  due  to  mechanical 
and  thermal  cycling. 

(4)  Each  component  in  the  fault  tree  is  relevant  to  the  systems  operation. 

This  infers  that  each  basic  event  appears  in  at  least  one  of  the  minimum  cut  sets.  A 
minimum  cut  set  is  defined  as  combination  of  the  fewest  component  failures  that  cause 
the  system  to  fail.  Complex  systems  my  have  a  large  number  of  minimum  cut  sets. 

C.  THEORETICAL  DEVELOPMENT 

System  structures  are  based  on  two  generic  structures.  These  are  the  series  and  the 
parallel  structured  systems.  The  series  system  functions  if  all  of  it's  components  function, 
and  the  parallel  system  functions  if  at  least  one  of  it’s  components  function  (Fig.  12). 

The  relationship  of  the  performance  of  the  components  to  the  performance  of  the  system 
defines  the  performance  logic  of  the  system.  Fault  tree  analysis  will  correlate  the 
functional  block  diagram  of  the  system  structure  to  the  logic  structure  of  the  system.  The 
following  background  will  illustrate  the  development  of  FTA  theory,  and  insures  essential 
issues  are  addressed  in  the  synthesis  of  the  fault  tree.  The  vast  majority  of  the  following 
theoretical  derivation  was  taken  from  Professor  J.D.  Esary  notes  [Ref.  6]  and  notes  from  a 
reliability  course  [Ref.  7]. 

1.  Structure  Function 

The  structure  function,  0(x),  for  a  system  relates  the  operation  of  a  system's 
components  to  the  operation  of  the  system.  There  are  many  analytical  advantages  to  the 
derivation  of  the  structure  function  as  will  be  evident  later. 

a.  Notation 

(1)  All  vectors  are  represented  in  bold  case  type 

(2)  T  is  the  time  to  system  failure 

(3)  Tj  is  the  time  to  component  i  failure 
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(4)  Xj  is  a  Binomial  random  variable  (r.v.)  of  the  component  i  with  value 

1  if  component  i  is  functioning 
0  if  component  i  has  failed 

(5)  X  =  {x,,  X2, x„ }  is  the  system  state  vector  in  which  n  components 
describe  the  system  structure. 

(6)  P[Xi=l]  =  Pj  is  the  probability  of  component  i  working  at  some  time  t 

(7)  P[Xi  =0]  =  1-pj  is  the  probability  component  i  has  failed  by  time  t 

(8)  p  =  {pp  P2, p„}  is  the  system  probability  vector 

(9)  E[y]  is  the  expected  value  of  the  r.v.  y 


Figure  12.  Generic  System  Structures 


(10)  0(x)  is  the  system  structure  function  describing  the  state  of  the  system. 

1  if  system  is  working  at  time  t 
0  otherwise 

(1 1)  <I>(li,x)  represents  the  structure  function  in  which  the  ith  component  of 
the  state  vector  x  has  the  binomial  value  of  one. 


(12)  3)(0j,x)  represents  the  structure  function  in  which  the  iA  component  of 
the  state  vector  x  has  the  binomial  value  of  zero. 

(13)  Mathematical  notation: 

n 

rixi  =  (Xi)(X2)"-(x„) 

i=l 

tJxi  =  1-11(1  -Xi) 

i=l  i=l 

b.  Series  Structure 

The  series  structured  system  (Fig.  12)  demands  each  component  to  function  in 
order  for  the  system  to  function.  If  any  component  were  to  fail  then  the  system  would 
subsequently  fail.  The  system  lifetime  is  therefore  dependent  upon  the  weakest  link,  or 
the  shortest  component  lifetime.  The  system  structure  function  for  a  series  structured 
system  is  shown  in  eq.  1  as  the  multiplication  of  all  the  component  binomial  states. 


(1) 


P[T>t]  =  P[min(T„T3,---,TJ>t] 


0(x)  = 


1  iff  X;=l;  i=l,  2,  •••,  n 
0  if  any  Xj=0 


=nxi 


i=l 


c.  Parallel  Structure 

The  parallel  structured  system  (Fig.  12)  only  requires  at  least  one  of  the  parallel 
component's  operation  in  order  for  the  system  to  operate.  If  all  the  components  in  parallel 
were  to  fail  then  the  system  would  system  fail.  The  system  lifetime  is  therefore 
dependent  upon  the  longest  component  lifetime.  Equation  2  demonstrates  how  the 
parallel  system  stmcture  function  is  determined.  A  simple  example  at  the  conclusion  of 
this  chapter  provides  insight  for  the  application  of  this  mathematical  notation. 


P[T>t]  =  P[max(T„T„--,T„)>t] 
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<D(x)  = 


(2) 


{1  if  any  Xj=l;  i=l,  2,  •  •  •,  n 
0  iff  all  Xj=0;  i=l,  2,  •  •  •,  n 


=  ]J[xi  =  1-0(1 -Xi)  =  XiUx2lJ  UXn 

i=l  i=l 


2.  Component  Relevance 

A  component  is  relevant  to  the  systems  operation  if  it’s  failure  can  affect  the 
performance  of  the  system,  and  should  be  considered  when  conducting  the  failure 
analysis.  If  component  i  is  relevant  to  the  systems  operation  then  eq.  3  is  tme. 

(3)  O(li,x)9t<I)(0i,x)V(-i,x) 

Conversely  if  a  component  is  irrelevant  it's  operation  has  no  influence  on  the 
function  of  the  system,  and  the  condition  of  eq.  4  is  always  true. 

(4)  O(li,x)  =  <D(0i,x)Vx 


The  concept  of  relevance  is  important  when  determining  the  reliability  function  of 
the  system.  Only  components  relevant  to  the  system  operation  should  be  considered 
when  determining  the  reliability  of  the  system.  An  importance  consideration  in  defining 
component  relevance  therefore  becomes  one  of  defining  what  constitutes  the  systems 
operational  status. 

3.  Coherent  Systems 

A  system  is  defined  as  a  coherent  system  if  it's  structure  function  satisfies  the 
following  three  conditions. 

a.  0(1)  =  1  where  1  is  the  vector  (1, 1, ...,  1) 

b.  0(0)  =  0  where  0  is  the  vector  (0,  0, ...,  0) 


c. 


0(x)  <  0(y)  whenever  Xi  <yi  Vi 
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A  coherent  structure  is  monotonic  non-decreasing  in  x  and  all  structure  components 
are  relevant  to  the  systems  operation.  Many  times  the  structure  function  is  not  easily 
defined,  but  can  be  approximated  by  bounding  the  function.  The  structure  function  can 
always  be  bounded  below  by  the  series  structured  case  and  bounded  above  by  the  parallel 
structured  case  as  shown  with  eq.  5.  The  loose  bounds  inherent  to  eq.  5  may  limit  it's 
practical  use. 

(5)  rixi  <  0(x)  <  IJxi 

i=l  i=l 


4.  Minimal  Path  and  Minimal  Cut  Sets 
a.  Minimal  Path  Sets 

A  path  set  of  a  coherent  system  is  the  set  of  components,  which  by  all  working, 
cause  the  system  to  function.  The  minimal  path  set  is  the  smallest  subset  of  components 
within  the  path  set  which  by  all  working  cause  the  system  to  function.  The  union  of  all 
minimum  path  sets  then  define  the  set  of  system  relevant  components.  Using  vector 
notation  for  the  system  of  components,  a  path  set  would  be  the  combination  of  set  x 
components  that  satisfy: 

(6)  d>(x)  =  1  (i.e.,  system  working) 

Let  pj  describe  the  jth  minimum  path  set  (p  possible  minimum  path  sets)  where 
pj  (x)  is  a  binary  function.  Since  all  components  of  a  minimum  path  set  must  function  for 
the  system  to  function,  the  minimum  path  set  is  similar  to  the  series  system  structure. 

Equation  7  defines  the  structure  of  the  minimum  path  set  function. 


(7) 


Pj(x)=nxi= 

iepj 


1  if  all  Xj  working 
0  otherwise 
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Only  one  minimum  path  set  must  function  for  the  system  to  function.  The 
parallel  arrangement  of  minimum  path  sets  can  therefore  describe  the  systems  structural 
relationship.  Equation  8  describes  the  system  structure  function  using  the  minimum  path 
set  notation.  Figure  13  shows  a  pictorial  relationship  for  the  minimum  path  sets  for  an 
example  problem. 


(8) 


n 


0(x)  =  Upj(x) 

j=l 


The  structure  function  can  then  be  viewed  as  a  parallel  arrangement  of  the  path 
sets.  This  is  typically  referenced  as  a  parallel-series  arrangement. 

b.  Minimum  Cut  Sets 

A  cut  set  of  a  system's  structure  refers  to  a  combination  of  component  failures 
that  would  cause  the  systems  failure.  The  minimum  cut  set  is  therefore  the  smallest 
subset  of  components  which  by  all  failing  cause  the  system  to  fail.  Analysis  of  minimum 
cut  sets  are  an  important  aspect  of  FT  A  from  a  qualitative  standpoint.  Similarly  to  the 
path  set  notation,  a  cut  set  is  one  that  satisfies  eq.  9. 

(9)  0(x)  =  0  (i.e.,  system  failed) 


Let  Kj  be  the  jth  minimum  cut  set  (k  possible  minimum  cut  sets)  where  Kj(x)  is 
a  binary  function.  All  the  components  in  a  minimum  cut  set  must  fail  to  cause  the  system 
to  fail.  This  is  similar  to  a  parallel  structured  system.  Equation  10  defines  the  minimum 
cut  set  function. 


(10) 


Kj  W  =  = 

ieKj 


0  iff  all  Xj  in  the  cut  set  have  failed 
1  otherwise 
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Only  one  minimum  cut  set  must  fail  to  cause  the  system  to  fail.  The  series 
arrangement  of  cut  sets  can  therefore  describe  the  systems  structural  relationship. 
Equation  1 1  describes  the  system  structure  function  using  the  minimum  cut  set  notation. 
Figure  13  shows  a  pictorial  relationship  for  the  minimum  cut  sets  for  an  example 
problem. 

(11)  0(x)  =  nKj(x) 

j=i 


The  system  will  fail  if  at  least  one  of  the  Kj  fail.  The  stmcture  function  is 
referenced  in  this  case  as  a  series  arrangement  of  cut  sets.  This  is  typically  referenced  as 
a  series-parallel  arrangement. 

5.  Importance 

It  is  often  productive  to  gain  an  insight  to  a  component's  importance  to  the  systems 
operation  while  conducting  systems  analysis.  Qualitative  analysis  can  provide 
information  to  measure  a  component's  importance  to  the  system  structure,  which  in  turn 
can  direct  design  efforts  to  minimize  the  failure  condition.  Once  such  tools,  called 

structural  importance,  can  play  an  effective  role  in  the  analytical  procedure.  The 
component  Xi  is  said  to  be  structurally  important  the  condition  of  eq.  12  is  true. 

(12)  <I>(li,x)-<I>(Oi,x)=l 


The  components  operation  is  important  for  the  systems  operation  for  a  given  system 
state  vector  x.  The  frequency  for  which  eq.  12  holds  true  (for  every  state  value  of  the 
vector  x)  will  determine  the  structural  importance  of  the  component.  For  example,  if  a 
component  is  listed  in  1000  minimum  cut  sets  it  would  have  a  higher  structural 
importance  than  a  component  that  is  listed  in  only  10  minimum  cut  sets.  A  parallel 
argument  using  path  sets  can  also  be  made.  A  meaningful  measure  of  a  component's 
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structural  importance  would  be  to  count  how  many  times  eq.  12  holds  true  for  the  system 
structure.  Equation  1 3  defines  this  frequency  of  occurrence. 

(13)  na>(i)  =  2)  [<I)(1  i ,  x)  -  <I)(0i ,  x)]  (n  is  a  integer  number) 

xixpl 

To  represent  the  relative  structural  importance  of  component  (i)  with  other 

components  in  the  structure,  the  components  are  normalized  by  eq.  14  for  a  system  of  size 
m  relevant  components.  The  term  I^Ci)  is  known  as  the  normalized  structural  importance 
for  the  ith  component. 


(14) 


I<i.(i)  = 


n<D(i) 

2m-l 


A  similar  argument  can  be  derived  which  determines  the  component's  importance 
from  a  reliability  standpoint.  For  example,  a  series  component,  which  is  a  single  point 
failure  component,  has  a  mean  time  to  failure  (MTTF)  of  10  years  may  not  have  a 
reliability  importance  as  critical  to  that  of  two  redundant  parallel  components  that  have  a 
MTTF  of  60  days.  To  determine  a  component’s  reliability  importance  you  must  be  able  to 
determine  reliability  data  for  all  the  relevant  components  in  the  system  structure.  The 
determination  of  reliability  importance  is  shown  in  eq.  15. 

(15)  Ih(i)=E[<D(li,x)-a)(0i,x)] 


6.  Reliability  Function 

Given  the  components  in  a  system  operate  independently,  with  Binomial  r.v.  x  = 
(x,,  x^, ...,  x„),  then  we  can  describe  the  reliability  of  the  system  with  the  reliability 
function  h(p).  Equation  16  describes  the  formulation  of  the  reliability  function. 
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(16) 


h(p)  =  P[®(x)=l]  =  E[<I>(x)l 


This  equation  holds  true  only  if  the  x/s  are  statistically  independent.  Using  the 
reliability  function,  the  reliability  importance  described  previously  can  be  simply 
determined  using  eq.  17  for  each  component. 


(17) 


Ih  (i)  =  h(  1  i ,  x)  -  h(0i ,  x)  = 


7.  Association 

The  previous  reliability  discussions  have  assumed  component  independence.  In 
real  world  applications  this  is  not  always  true  and  should  not  be  lightly  assumed.  The 
independence  relationship  between  components  will  be  replaced  with  an  alternative  form, 
association,  which  is  simply  non-negative  dependence  between  the  components  [Ref.  8]. 
System  components  can  become  positively  dependent  in  various  manners.  For  example, 
two  components  located  side  by  side  on  a  printed  circuit  board  are  subject  to  the  same 
operational  environment.  Environmental  conditions  that  effect  one  component  may  also 
effect  the  other.  This  creates  a  conunon  positive  dependence  between  the  components. 
Random  variables  {x,,  X2, ...,  x„}  are  said  to  be  associated  if  there  is  non-negative 
covariance  between  the  random  variables.  Properties  of  associated  r.v.'s  are  further 
explained  in  Ref.  6. 

The  components  of  PANSAT  fall  into  the  positive  dependence  category  due  to  the 
environmental  effects.  If  the  reliability  is  calculated  using  independent  assumptions  then 
the  reliability  is  underestimated  for  series  structure  and  overestimated  for  the  parallel 
structure.  The  reliability  value  can  be  bounded,  assuming  association,  by  the  series  and 
parallel  cases.  Assume  a  system  consists  of  k  possible  minimum  cut  sets  and  p  possible 
minimum  path  sets,  then  the  following  theorem,  eq.  18,  can  be  shown  [Ref.  6]  to  bound 
the  system  reliability. 
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(18) 


nP[Kj(x)  =  1]  <  P[0(x)  =  1]  <  LIP[Pj(x)  =  1] 
j=l  j=l 

A  tighter  bound  for  the  reliability,  eq.  19,  can  be  generated  by  observing  the 
probability  values  for  the  minimum  cut  set  and  minimum  path  set  functions,  and  applying 
the  most  limiting  conditions  for  upper  and  lower  bounds  [Ref.  6]. 


(19) 


,  npi^p[^(x)=i]^ 


isjsky^' 


8.  Special  Structure  System  (k-out-of-n) 

An  offshoot  of  the  parallel  structure  is  a  system  that  works  if  k-out-of-n 
components  function.  A  practical  application  of  the  k-out-of-n  concept  to  the  PANS  AT 
design  is  the  notion  of  solar  panel  failure.  The  system  will  not  fail  if  one  solar  panel  fails, 
but  is  definitely  inoperable  if  all  17  solar  panels  fail.  There  is  some  number,  k,  in  which 
the  system  remains  functional  only  if  at  least  k  panels  are  operable.  Solar  panel  failure  is 
an  important  concern  for  PANS  AT  due  to  it's  operation  on  a  very  restrictive  power 
margin. 

The  simple  case,  where  two  out  of  three  components  are  required  to  be 
operational  for  a  system  to  function,  is  shown  in  Fig.  13.  The  diagram  shows 
representation  using  the  minimum  path  set  approach  and  the  minimum  cut  set  approach. 
Each  path  represents  the  minimum  component  combinations  (i.e.,  two)  for  a  successful 
mode  of  system  operation.  This  is  referred  to  the  minimum  path  set  representation  of  the 
system  structure.  Figure  13  also  shows  the  minimum  cut  set  representation,  where  two 
component  failures  will  cause  the  system  to  fail. 

Since  this  is  a  parallel  system,  the  minimum  path  sets  are  obtained  by  observing 
the  system  functional  structure.  Any  combination  of  two  working  components  will  allow 
the  system  to  function.  Application  of  eq.  7  to  the  observed  set  of  minimum  path  sets  (Xj, 
Xj),  (x,,  Xj),  and  (X2,  Xj)  will  result  in  the  following  . 

pi  =XiX2;  p2  =XiX3;  p3  =X2X3 
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The  structure  function  is  determined  by  applying  the  minimum  path.sets  to  eq.  8. 


4>(X)  =  0(Xi  ,X2,X3)  =  X1X2O  X1X2U  ^2X3 

=  XiX2LJ[1-(1-XiX3)(1-X2X3)] 

=  XiX2]J[  [1  -(1  -X2X3  -X1X3  +  X1X2X3)] 

=  XiX2tJ[XiX3  +  X2X3-X|X2X3] 

=  [1  -(1  -XiX2)(l  -(X1X3  +X2X3  -X1X2X3))] 
=  1  -  1  -X1X3  -X2X3-X1X2 
+X1X2X3  +X1X2X3  +X1X2X3  -X1X2X3)' 

=  XiX2  +  XiX3+X2X3-2XiX2X3 


Since  the  r.v.,  Xj ,  is  binomial  (i.e.,  has  a  value  of  0  or  1)  the  expansion  of  the 
above  equation  is  reduced  to  single  order  terms  by  noting  the  fact  that  any  power  of  Xj  is 
equal  to  it's  first  order  value  (i.e.,  xf  =  Xj  for  any  integer  power  p).  Reduction  of  the 
structure  function  to  single  order  terms  is  necessary  before  a  one  to  one  correlation  of  the 
structure  function  to  the  reliability  function  can  be  made.  Recall  the  reliability  function 
is  only  defined  for  a  system  of  independent  components. 

An  identical  system  structure  solution  could  be  obtained  by  using  the  minimum 
cut  set  approach.  This  is  demonstrated  with  an  example  at  the  end  of  the  chapter. 

The  structure  function  for  the  k-out-of-n  system  structure  obtains  the  binomial 
value  shown  in  eq.  20.  A  closed  form  notation  of  the  structure  function  is  not  provided 
here,  but  the  approach  is  similar  to  the  example  shown  above. 
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Figure  13.  Two  out  of  Three  Component  System 


(20) 


4>W  = 


1  if  X  Xi  >  k 

Oif  X  Xi  <  k 
i=l 

The  reliability  function,  shown  in  eq.  20,  can  be  described  for  the  k-out-of-n  case 
if  the  system  is  configured  of  identical  components  and  reliability. 


(21)  h(p)=i(^''jpi(i-pr' 

D.  FAULT  TREE  CONSTRUCTION 

The  objective  of  FTA  is  to  model  the  system  conditions  that  result  in  an  undesirable 
event  under  constrained  environmental  conditions.  The  fault  tree  models  the  various 
combinations  of  possible  events,  both  normal  and  faulty,  to  give  a  graphical  and  logical 
representation  of  the  systems  response  resulting  in  the  "Top  Event"  failure.  Setting  well 
defined  (yet  practical)  spatial  and  temporal  bounds  on  the  system  is  a  necessary 
consideration  required  of  the  analyst  to  ensure  the  validity  of  the  analysis  of  a  phased 
system.  Figure  14  illustrates  the  relationship  of  the  system  failure  (labeled  Top  Event)  to 
the  basic  component  failures  (bottom  event  or  leaves).  The  conditioning  events  between 
the  Top  event  and  the  fault  tree's  leaves  describe  events  that  could  lead  to  the  Top  Event. 
The  intermediate  events  are  known  as  the  branches  of  the  fault  tree. 

1.  Methodology 

The  FTA  method  structures  the  relationship  of  sequential  events  that  lead  to  an 
undesired  event  in  a  system,  to  a  Boolean  logic  representation  model  that  reflect  the 
systems  functional  structure.  The  top  down  analysis  systematic  approach  to  FTA 
attempts  to  define  all  possible,  yet  practical,  critical  failure  paths  that  will  cause  the  Top 
Event.  The  fault  tree  grows  downward  and  outward  describing  the  failures  and  causes  in 
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increasing  detail.  The  fault  tree  symbology  described  below  represent  that  used  within 
the  FaultrEASE  software  package  [Ref.  9]  that  was  utilized  for  this  analysis. 


Fault  Tree  Composition 


Top  Evofit 


Figure  14.  Fault  Tree  Composition 

a.  Symbology 

(1)  Event  Symbology.  There  are  various  types  of  failure  end  events  that  are 
represented  in  the  fault  tree  structure.  The  synthesis,  or  structuring,  of  the  events 
provides  a  logical  fault  flow  process  by  combining  the  system  failure  events  with  Boolean 
logic  operators.  The  respective  event  symbols  (Fig.  15)  describe  the  type  of  events,  and 
when  combined  with  the  logical  operators  help  define  a  cut  set  for  the  Top  Event 
occurrence.  End  events  are  referred  to  as  the  leaves  of  the  fault  tree. 

(2)  Logic  Gate  Symbology.  The  fault  tree  represents  the  logical  relationship 
between  the  events  of  the  system.  These  relationships  can  be  described  using  a  wide 
assortment  of  Boolean  logic  operators  (i.e.,  Boolean  logic  gates).  The  two  basic  logical 
relationships  used  to  describe  the  majority  of  the  fault  tree  relationships  are  the  logical 
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"OR"  and  "AND"  operators  (Fig.  16).  Within  the  fault  tree,  a  rectangle  is  placed  above 
each  operator  to  describe  the  event. 


o 

^  Name: 
Usage: 

Undeveloped  Event 

An  event  that  is  not  further  developed 

Q 

Name: 

Usage: 

External  Event 

An  event  that  is  normally  expected  to  occur 

o 

Name: 

Usage: 

Conditioning  Event 

Applies  specific  conditions  or  restrictions 

A 

Name: 

Usage: 

TVansfer  In 

Indicates  that  the  tree  is  developed  further 

O 

Name: 

Usage: 

Basic  Event 

A  basic  initiating  fault  requiring  no  further  development 

0 

Name: 

Usage: 

Inhibit 

Output  fault  occurs  if  the  input  fault  occurs  in  the  presence  of  an 
enabling  condition 

Figure  15.  Fault  Tree  Event  Symbology  [Ref.  9] 


Q 

Name: 

Equaticm: 

Usage: 

AND 

A^B 

Output  fault  occurs  if  all  of  the  input  faults  occur 

0 

Name: 

Equation: 

Usage: 

Priority  AND 

A 

Output  fault  occurs  if  all  of  the  input  faults  occur  in  a  specific  sequence 

A 

Name: 

Equation: 

Usage: 

OR 

A  +  B  -  (A  B) 

Output  fault  occurs  if  at  least  one  of  the  input  faults  occurs 

A 

Name: 

Equation: 

Usage: 

Exclusive  OR 

A  +  B  -  2(A  *  B) 

Output  fault  occuis  if  exactly  one  of  the  input  faults  occurs 

A 

Name: 

Equation: 

Usage: 

Mutually  Exclusive  OR 

A  +  B 

Output  fault  occurs  if  any  input  fault  occurs  -  but  only  one  can 

1 

Name: 

Equation: 

Usage: 

Vertical  Line 

A 

A  connecting  line  used  for  placing  symbols  on  a  lower  level 

Figure  16.  Fault  Tree  Logical  Operator  Symbology  [Ref.  9] 
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b.  Event  Classifications 

Although  a  fault  tree  can  contain  normal  events,  the  vast  majority  of  events 
appearing  within  the  tree  are  failure  events.  Any  event  that  propagates  the  failure  event 
needs  to  be  considered  during  the  fault  tree  synthesis.  When  defining  events,  the  analyst 
should  observe  the  no  miracle  rule.  The  no  miracle  rule  states  that  low  probability  events 
that  prevent  fault  flow  need  not  be  considered,  but  low  probability  events  that  cause  fault 
flow  must  be  considered. 

There  are  five  general  classifications  that  describe  the  failure  events  that  are 
logically  linked  in  the  fault  tree  structure.  [Ref.  5] 

(1)  Primary  Failure.  These  are  component  related  failures  caused  by  problems 
internal  to  the  component.  Repair  of  a  primary  failure  will  return  the  system  to  operation. 
However,  as  with  the  case  of  PANS  AT,  repair  of  primary  failures  is  not  typically 
possible  with  deployed  spacecraft.  This  is  the  principle  failure  type  that  will  be  analyzed. 

(2)  Secondary  Failure.  This  is  a  component  related  failure  caused  external  to 
the  component.  Repairing  a  secondary  failure  does  not  bring  the  system  back  to  a 
functioning  condition  if  the  external  problems  are  not  additionally  addressed.  Examples 
of  secondary  failures  are  environmental  stresses  such  as  temperature  or  vibration  stress. 

(3)  Primary  Fault.  These  are  event  occurrences  that  create  fault  flow  that  are 
not  component  related.  This  could  be  a  normal  event  or  one  that  is  caused  by  human 
interaction.  A  primary  fault  may  self  repair. 

(4)  Secondary  Fault.  This  type  of  event  propagates  the  fault  flow  that  is 
externally  influenced.  If  the  conditions  causing  the  fault,  such  as  signal  jamming,  are 
removed  the  secondary  fault  may  self  repair. 

(5)  Command  Fault.  This  is  defined  as  a  fault  or  failure  which  is  caused  by 
commands  external  to  the  source  of  the  fault.  An  example  would  be  the  inadvertent 
activation  of  a  relay  due  to  a  command  fault. 
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2.  Fault  Tree  Synthesis 

The  synthesis  (construction)  of  a  fault  tree  should  follow  a  few  well-tested  rules  to 
avoid  logic  errors  or  omission  of  failure  events  [Ref.  5].  Definition  of  the  correct  top 
event,  that  event  that  is  most  undesirable,  must  be  accurately  considered.  The  entire 
synthesis  of  the  fault  tree  stems  from  this  definition.  Accurate  boundary  conditions  are 
required  to  predict  the  various  failure  events  for  which  that  phased  mission  operating 
conditions  are  valid. 

The  next  level  is  defined  below  the  top  event  by  analyzing  what  set  of  events  are 
the  most  immediate  and  necessary  to  cause  the  top  event.  At  this  level,  event  definition 
may  be  very  general  in  nature.  To  generate  the  causal  events  of  the  preceding  event  the 
analysts  should  ask  two  general  rules.  [Ref.  5] 

1.  What  are  the  most  immediate  and  sufficient  causes  of  this  event? 

2.  Is  this  a  component  related  event? 

Each  event  is  analyzed  as  to  the  causation.  If  the  event  is  caused  by  a  component 
related  event,  then  an  OR  gate  is  placed  under  the  event.  If  it  is  not  a  component  related 
event  but  a  system  state  related  event,  then  the  analyst  is  free  to  place  any  type  of  gate 
under  the  event  as  deemed  logically  appropriate.  This  process  is  continued,  building  a 
logic  tree  from  the  top  event  down  to  system  defined  end  state  events. 

E.  FAULT  TREE  EXAMPLE 

An  example  of  a  simple  system  is  provide  to  show  how  fault  tree  synthesis  and 
analysis  is  conducted.  A  comparison  of  doing  the  analysis  by  hand  and  the  analysis 
generated  by  the  FaultREASE  program  used  is  provided. 

Consider  the  simple  coherent  system  depicted  in  Fig.  17.  If  component  one  was  to 
fail,  or  both  components'  two  and  three  were  to  fail,  the  system  would  become  inoperable. 
Therefore  the  minimum  cut  sets  are  { 1 }  and  {2,  3}.  Conversely  if  components'  one  and 
two,  or  components'  one  and  three  were  operating  then  the  system  would  function.  This 
describes  the  minimum  path  sets  as  {1,2}  and  {1,3}.  The  system  structure  can  be 
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represented  using  niinimum  cut  set  or  minimum  path  set  notation.  Either  approach  will 
give  identical  results  as  will  be  shown  below. 


2 

— 1 

1 

— 

3 

H 

Figure  17.  Simple  System  Functional  Structure 


1.  Cut  set  notation 

It  is  convenient  to  represent  the  system,  regardless  of  the  approach,  as  a  graphical 
representation  to  aid  in  further  analysis.  As  the  system  gets  larger  and  increasingly 
complex  this  can  become  too  burdensome.  Figure  18  depicts  the  cut  set  representation  of 
the  system  structure. 


Figure  18.  Minimum  Cut  Set  Representation 


The  minimum  cut  set  functions  are  derived  using  eqn  10. 

Ki(x)  =  xi 

K2  =  X2IJ  X3  =  1  -  (1  -  X2)(l  -  X3) 

From  the  minimum  cut  sets,  the  structure  function  is  determined  using  eq.  11. 
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2 

a)(x)  =  $(Xi,  X2,  X3)  =  n  Kj(x) 

j=l 

=  K1K2  =  [Xi][l  -(1  -X2)(l  -X3)] 
=  [Xl][X2+X3-X3X2] 
=XiX2+XiX3-X  1X2X3 


If  the  system  is  assumed  to  be  independent,  the  reliability  function  can  be  derived 
utilizing  eq.  16. 


h(p)  =  E[0(x)]  =pip2+pip3-pip2p3 


2.  Path  set  notation 

Similar  to  the  cut  set  example,  the  minimum  path  set  graphical  representation  of  the 
system  structure  shown  in  Fig.  19  can  be  useful. 
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Figure  19.  Minimum  Path  Set  Representation 


The  minimum  path  sets  are  derived  using  eq.  7. 


pi  =XiX2 
p2  =  XiX3 


From  the  minimum  path  sets,  the  structure  function  is  determined  using  eq.  8. 


2 

0(x)  =  0(xi ,  X2,  X3)  =  U  Pj 

j=l 

=  [XlX2UxiX3] 

=  [l-(l-XiX2)(l-XiX3)] 
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(recall  Xj^  =  Xj) 


=XiX2+XiX3-XiX2X3 
=  XiX2  +  XiX3  -X1X2X3 

As  previously  stated  the  path  analysis  derivation  of  the  structure  function  is 
identical  to  that  of  cut  set  derivation.  The  approach  the  analyst  takes,  either  cut  set  or 
path  set,  is  determined  by  the  type  of  analysis  that  is  being  conducted. 

The  structural  importance  of  a  component  in  a  system  is  determined  by  evaluating 
the  state  vector  x  under  all  conditions,  while  the  reliability  importance  could  be  evaluated 
by  assigning  component  reliability  values.  Assuming  component  independence  the 
reliability  importance  can  be  derived  from  the  reliability  function  as  shown  below. 

Ih(i)  =  h(li,p)  -  h(0i,p)  =  (if  independent) 

dpi 

Ih(l)  =  P2+P3-P2P3 
Ih(2)  =  P,-P,P3 
1,(3)  =  p,-p,p2 


3.  Fault  Tree  Model 

The  system  functional  block  diagram  (Fig.  17)  is  used  to  synthesis  the  fault  tree 
shown  in  Fig.  20.  This  was  accomplished  using  the  rule  set  explained  previously  and 
incorporating  the  FaultREASE  software  package.  As  an  example  of  the  software's 
computational  capabilities,  probability  values  that  the  components  would  fail  (qp  l-pj) 
were  assigned  to  the  components.  The  reliability  values  are  represented  on  the  programs 
printout  below  the  end  event  leaves. 

To  illustrate  this  example,  assume  the  components  are  independent  and  have  the 
reliability  values  of: 

Pj=  0.9  and  P2=  P3=  0.7 
thus  9,=  1-  0.9  =  0.1 
q2=  q3=  1-  0.7  =  0.3 

Using  the  reliability  function  derived  previously,  the  system  operation  reliability 
can  be  calculated  as: 


47 


h(p)  =  (0.9)(0.7)  +  (0.7)(0.7)  -  (0.9)(0.7)(0.7)  =  0.8 19 


The  fault  tree,  when  quantified,  will  calculate  the  probability  of  the  top  event 
occurrence  (i.e.,  system  failure)  to  be  0.181,  which  is  shown  in  Fig.  20  as  the  value  the 
top  event  attains.  The  probability  that  the  system  will  fail,  which  is  1-P[system 
functions],  correlates  to  the  probability  of  success  of  the  system  calculated  using  the 
reliability  function. 


Figure  20.  Example  System  Fault  Tree 

Table  1  summarizes  the  calculation  of  the  structural  importance  for  each  of  the 
system  components.  The  structural  importance  of  component  one  is  much  greater  than 
that  of  components'  two  and  three  that  are  identical.  This  intuitively  makes  sense  because 
component  one  is  a  series  component  and  so  the  failure  of  this  component  has  a  much 
greater  affect  on  the  systems  operation. 

The  reliability  importance  for  each  component  is  calculated  and  summarized  in 
Table  1.  Component  one  has  a  higher  reliability  value,  and  this  coupled  with  its 
structural  placement  demonstrates  it's  relative  effect  on  reliability  importance.  By 
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conducting  sensitivity  analysis  on  the  reliability  value  for  component  one  it  can  be  shown 
to  retain  a  higher  relative  reliability  importance  than  components'  two  or  three. 


Table  1.  Example  System  Importance 
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IV.  PANSAT  FAULT  TREE  ANALYSIS 


The  PANSAT  schematic  diagrams  listed  as  figures  in  appendices  A,  B,  and  C  were 
used  to  construct  the  PANSAT  fault  tree  listed  in  appendix  D.  Interaction  with  the 
specific  subsystem  design  engineers  was  necessary  to  ensure  interpretation  accuracy  of 
the  design  architecture. 

It  was  never  the  intention  of  the  author  to  completely  model  the  design  down  to 
the  individual  component  level.  From  a  qualitative  analysis  viewpoint  for  the  PANSAT 
project,  determination  of  significant  failure  points  was  the  overall  goal  of  this  thesis.  This 
permits  design  engineers  to  assess  the  fault  tree  analytical  results  and  make  appropriate 
design  modifications  as  deemed  appropriate.  The  hardware  architecture  analyzed 
included  the  EPS,  DCS,  and  RF  subsystems.  Time  limitations  prevented  detailed  analysis 
of  each  subsystem.  The  majority  of  the  analytical  effort  was  spent  on  the  evaluation  of 
the  EPS. 

Subsystem  design  modifications  are  a  natural  and  continuous  process  at  this  stage 
of  the  program  life-cycle.  Modifications  made  during  the  course  of  this  analytical  process 
may  not  be  reflected  in  this  analysis. 

A  PANSAT  system  structure  function  could  be  generated  using  the  minimum  cut 
sets  listed  in  Tables  A.2,  B.2,  and  C.2.  From  the  structure  function  the  structural 
importance  of  each  failure  event  could  be  determined  by  evaluating  the  function  using  a 
system  state  vector,  x,  of  324  variables  correlating  to  the  failure  events.  Evaluation  of  the 
structural  importance  using  the  procedure  discussed  in  chapter  3  for  this  analysis  would 
provide  no  significant  benefit  to  the  design  process  and  be  nothing  more  than  an  arduous 
academic  exercise.  The  version  of  the  FaultrEASE  software  package  used  for  the  fault 
tree  construction  and  analysis  did  not  include  the  capability  for  evaluation  of  the 
structural  importance,  although  the  reliability  importance  could  be  calculated  if  reliability 
data  was  available. 
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A.  EPS 


The  analytical  printout  of  the  data  derived  from  the  fault  tree  for  the  EPS  is 
contained  in  appendix  A.  The  failure  events  for  the  EPS  are  listed  in  Table  A.l  with  a 
brief  description  of  the  component  function  or  failure  effect.  The  event  number  correlates 
to  the  event  number  listed  in  the  fault  tree. 

1.  Minimum  Cut  Sets 

There  are  125  minimum  cut  sets  listed  in  Table  A.2  for  the  EPS.  The  number  of  cut 
sets  is  not  necessarily  a  significant  measure  of  a  systems  architectural  resistance  to 
failure.  The  level  of  detail  for  which  the  analysis  is  conducted  is  directly  proportional  to 
the  size  of  the  analysis  elements  derived  from  the  architecture.  Table  A.l  list  the  failure 
events  or  components  that  were  considered  to  be  relevant  to  the  study  objective.  Many 
EPS  circuits  could  have  been  analyzed  to  increasing  detail  which  would  have  increased 
the  quantity  and  size  of  minimum  cut  sets.  For  example,  during  an  iteration  of 
constructing  a  fault  tree  for  the  EPS,  a  fault  tree  was  constructed  which  analyzed  the 
electronic  power  switches  in  the  EPS  down  to  each  discrete  component  level.  This 
sizable  fault  tree  produced  over  850  minimum  cut  sets.  Although  further  detailed 
analysis  could  have  been  conducted  on  the  fault  tree,  listing  many  failure  points,  the 
effective  analysis  is  no  different  for  the  designer  than  just  considering  a  single  end  event 
failure  (e.g.,  switch  component  failure)  for  a  particular  switch.  There  are  many  similar 
examples  in  the  design  architecture.  The  appropriate  reduction  of  the  fault  tree  allowed 
the  analyst  to  reduce  the  minimum  cut  set  generation  to  a  more  reasonable  and 
analytically  more  germane  size.  The  largest  minimum  cut  set  for  the  EPS  portion  of  the 
fault  tree  consisted  of  four  failure  events. 

The  current  version  of  the  FaultrEASE  FTA  software  program  is  rather  elementary 
in  it's  capability  to  model  all  conditions.  The  program  did  not  possess  the  ability  to 
analyze  a  k-out-of-n  structure  condition.  The  single  point  failure  minimum  cut  sets  for 
the  solar  panels  (i.e..  Table  A.2  minimum  cut  sets  1-5)  only  consider  a  single  solar  panel. 
Since  the  number  of  solar  panel  failures  that  would  be  required  in  order  to  cause  a  critical 
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failure  is  some  unknown  number  k,  these  failure  events  would  not  in  reality  be  single 
point  failures  as  shown  in  Table  A.2,  but  would  constitute  a  minimum  cut  set  of  size  k  or 
greater. 

The  failure  events  are  listed  only  once  in  Table  A.1  for  convenience,  but  the  actual 
analysis  printout  lists  the  event  each  time  it  is  repeated.  Table  2  lists  events  in  the  fault 
tree  that  are  repeated  a  number  times  at  various  locations  within  the  tree.  The  number  of 
times  the  event  is  referenced  could  also  be  an  indication  of  the  relative  importance  of  the 
failure  events  occurrence.  Events  1 . 1 34  through  1.135  for  example  refer  to  failure  events 
that  could  cause  a  failure  of  the  +5  volt  power  supply.  As  will  be  discussed  later,  this 
power  supply  is  a  very  important  circuit  in  the  EPS  architecture.  All  other  failure  events 
were  listed  only  once. 

References  to  failure  events  for  the  remainder  of  this  section  refer  to  the  numbers 
used  in  Table  A.l  and  correlate  to  the  respective  event  numbers  on  the  fault  tree.  All 
references  to  minimum  cut  set  numbers  are  those  used  in  Table  A.2. 


Table  2.  EPS  Multiple  Failure  Event  Listings 

2.  Single  Point  Failures 

Single  point  failure  events  are  the  most  significant  failure  event  sets  when 
analyzing  the  system  design  for  structural  reliability.  A  minimum  cut  set  of  size  1 
constitutes  a  single  point  failure  since  only  that  failure  event  is  require  to  cause  the  Top 
Event.  The  following  single  point  failures  are  significant  to  the  EPS  architecture. 
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a.  +5  Volt  Power  Supply 

The  +5  volt  power  supply  is  one  of  the  most  crucial  circuits  in  the  EPS  design 
architecture.  This  circuit  provides  power  for  the  majority  of  logic  and  control  circuits  on 
the  spacecraft,  including  those  within  the  EPS.  A  parallel  redundant  power  supply  is 
integrated  into  the  circuit  design  in  a  warm  standby  configuration,  to  instantaneously 
assume  the  load  in  the  event  of  a  power  supply  failure.  The  current  design  circuit 
however  does  suffer  from  the  possibility  of  incurring  a  failure  scenario  which  the  failure 
of  one  power  supply  could  cause  the  failure  of  the  second  power  supply.  This  is  referred 
to  as  a  contingency  redundancy  failure  and  is  listed  as  event  1.110.  The  two  parallel 
power  supplies  are  connected  at  the  emitters  of  the  power  supply  output  bipolar  Junction 
transistor  (B  JT)  from  each  power  supply  chip.  The  collector  for  each  BIT  is  connected  to 
the  raw  power  bus  via  a  fuse  and  common  input  filter.  An  emitter  to  collector  short  for 
either  BIT  coupled  with  the  failure  of  the  power  supply  input  fuse  to  blow  for  such 
occurrence  (separate  fuse  for  each  power  supply)  would  place  raw  bus  power  on  the  +5 
volt  bus.  The  consequences  of  such  an  occurrence  are  several,  but  all  result  in  the  failure 
of  the  logic  circuits  to  operate  correctly. 

Table  2  lists  failure  events  relating  to  a  +5  volt  power  supply  failure  to  be 
repeated  15  times  in  the  fault  tree  structure.  Failure  events  for  a  +5  volt  power  supply 
failure  are  listed  as  minimum  cut  sets  11  through  17. 

b.  Peripheral  Control  Bus  (PCB) 

The  PCB  is  a  system  circuit  which  is  critical  for  the  operation  of  each  of  the 
hardware  subsystems  analyzed.  Responsible  for  distribution  of  power,  control  signals, 
and  data  traffic  throughout  the  spacecraft,  it  has  the  capability  to  become  a  reliability 
weak  link  in  the  system  design.  With  no  circuit  redundancy  for  the  PCB,  almost  any 
single  component  failure  of  the  circuit  could  negate  the  operation  and  function  of  every 
relevant  circuit  in  the  spacecraft.  The  PCB  circuit  consists  of  a  bus  (wire  bundle) 
connecting  each  subsystem  or  peripheral  component  (Fig.  A.9),  each  of  which  contain 
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interface  circuits  for  power  distribution  and  data  connectivity.  Failure  events  for  the  PCB 
are  listed  as  minimum  cut  sets  19-21  and  32-35. 


c.  Solar  Panels 

Eight  of  the  17  solar  panels  are  used  for  the  solar  panel  illumination  experiment 
(SPIE).  Each  of  these  solar  panels  connect  to  their  individual  current  sensor  (minimum 
cut  set  number  1).  There  are  several  possible  current  sensor  component  failures  which 
could  fail  in  a  mode  which  prevent  passing  current  from  the  SPIE  solar  panel  to  the  raw 
power  bus.  All  17  solar  panels  are  connected  in  parallel  to  supply  the  raw  power  bus 
through  the  common  master  current  sensor  (minimum  cut  set  number  31).  The  master 
current  sensor  is  identical  to  the  SPIE  current  sensors. 

It  has  not  been  determined  exactly  how  many  solar  panel  failures  are  necessary 
to  prevent  operations  as  previously  discussed.  The  tumbling  motion  of  the  spacecraft 
complicates  the  determination  of  effective  solar  panel  operation  or  failure.  Computer 
simulations  have  been  written  to  resemble  spacecraft  motion  and  the  effective  solar  flux 
area  [Ref.  10].  The  initial  failure  simulations  have  been  completed  analyzing  for  solar 
panel  failure  combinations  of  size  1  or  2  failed  solar  panels  with  the  results  summarized 
in  Table  3.  The  effective  solar  flux  area  listed  is  the  lowest  minimum  average  for  the 
failed  panel  orientation  to  the  sun.  The  power  calculations  are  based  upon  a  17.1  Watt 
power  budget  and  effective  solar  flux  area  of  989  cm^. 


Solar  Panel 
Failure  Size 

Effective  Solar 
Flux  Area 
(cm^) 

Percent  Power 
Decrease  (%) 

Effective  EOL 
Generation 
(Watts) 

Power 

Decrease 

(Watts) 

1 

908 

8.2 

15.7 

1.4 

2 

831 

15.98 

14.37 

2.7 

Table  3.  Solar  Panel  Failure  Effects 


Each  solar  panel  has  a  single  blocking  diode  (minimum  cut  sets  2  and  4)  on  the 
connection  from  the  solar  panel  to  the  EPS  power  board.  An  open  diode  would  prevent 
power  distribution  from  the  solar  panel  to  the  raw  power  bus.  A  solar  panel  consist  of  32 

series  connected  solar  cells.  If  the  panel  string  integrity  is  broken  (i.e.,  inter-cell 
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connections  or  a  cell  failure),  the  entire  solar  panel  is  rendered  useless  (minimum  cut  sets 
3  and  5). 


d.  Control  Signals 

The  operation  and  commanding  of  the  electronic  power  switches  used  in  the 
EPS  to  distribute  the  unregulated  raw  power  to  the  various  subsystems  is  a  crucial  part  of 
the  EPS  design.  The  command  signal  contains  two  parts,  the  switch  address  and 
command  orders  to  turn  the  switch  on  or  off.  There  are  two  issues  to  examine  when 
analyzing  how  a  valid  command  from  the  DCS  could  be  misinterpreted  at  the  destination 
address.  These  issues  are  command  addressing  and  command  signal  errors.  The 
command  addressing  issue  consider  how  a  valid  signal  address  from  the  DCS  is 
mis-routed  or  modified  in-routed  to  the  destination.  The  most  likely  cause  of  this  type  of 
error  might  be  the  PCB  interface  address  registers,  U17  or  U18  on  the  EPS  logic  board  or 
a  failure  of  the  command  signaling  path  from  the  PCB  interface  registers  to  the  switches. 
The  command  signaling  issue  concerns  the  signal  distortion  or  modification  due  to  a 
transient  condition  or  circuit  malfunction.  A  recovery  from  a  transient  condition  may  be 
possible,  but  a  malfunction  which  places  the  system  in  a  posture  in  which  ground  station 
intervention  is  not  possible  would  cause  a  critical  failure.  For  example  a  circuit 
malfunction  which  cause  power  to  be  secured  to  the  RF  system  when  the  DCS  expected 
something  entirely  different  like  a  battery  placed  on  service,  would  leave  the  system 
orbiting  without  the  ability  to  receive  ground  instructions.  This  problem  is  further 
complicated  by  the  inability  of  the  DCS  to  determine  if  the  signal  it  has  commanded  has 
been  accomplished  as  ordered.  The  DCS  only  has  the  capability  to  command  switches, 
and  has  no  way  to  directly  read  the  position  of  the  switch  (i.e.,  on  or  off).  Failure  events 
for  the  control  issues  are  lists  as  minimum  cut  sets  36  and  37. 

e.  EPS  Logic  Board 

The  EPS  logic  board  can  be  thought  of  as  the  workhorse  of  the  EPS.  The  logic 
board  conducts  the  commands  received  from  the  DCS  for  power  switching,  power 
measurements,  and  WDT  resets.  Single  point  failures  of  the  logic  board  pertain  to  the 
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ability  to  route  the  correct  DCS  commands  and  WDT  reset  signals.  Minimum  cut  sets  21, 
25, 26,  and  38-46  will  prevent  command  signals  from  reaching  their  destination.  The 
WDT  and  the  circuits  used  to  reset  it  are  listed  as  minimum  cut  sets  18,  21-30,  32, 40, 43, 
and  46.  The  logic  board  is  designed  almost  exclusively  using  integrated  chips  (IC)  with 
very  few  discrete  components.  Analyzing  the  logic  board  to  the  component  level  (i.e.,  IC 
level)  there  is  virtually  no  component  which  is  not  a  single  point  failure.  The  high 
threshold  detector  failure  (failed  high)  would  prevent  any  reset  command  from  resetting 
the  WDT.  The  purpose  of  the  high  threshold  detector  is  to  prevent  the  cyclic  resetting  of 
the  WDT  when  there  is  a  low  voltage  condition  on  the  +5  volt  power  bus  until  the  bus 
becomes  stable.  The  most  likely  time  this  would  come  into  play  is  during  spacecraft 
initialization.  The  low  threshold  detector  (fail  low)  would  maintain  logic  components 
U21,  U22,  U25,  U26,  and  U27  in  a  initialization  condition  (i.e.,  unable  to  apply  power  to 
mass  storage,  TMUX,  RF,  antenna  release  circuit,  or  battery  switch  operations).  Any 
failure  which  causes  the  output  of  U27  (D  flip-flop  which  signals  for  power  application  to 
a  DCS)  to  fail  high  or  low  could  cause  the  system  to  fail. 

/.  Thermal  Control 

Since  the  system  is  designed  without  an  active  thermal  control  system,  all 
temperature  sensitive  components  must  rely  on  accurate  thermal  analysis.  Accurate 
reliability  prediction  also  requires  a  well  defined  thermal  environment  prediction.  A 
failure  of  the  passive  thermal  control  system  to  maintain  the  spacecraft  within  it's 
operational  boundary  limits  or  the  failure  of  swift  ground  station  operator  action  to  a 
unusual  thermal  condition  can  lead  to  component  failures  throughout  the  design  structure. 
The  battery  compartment  is  sensitive  to  excessive  thermal  conditions.  If  the  temperature 
of  the  battery  compartment  exceeds  the  thermal  limits,  then  battery  cell  plate  degradation 
and  shortened  battery  life  should  be  expected.  Temperature  conditions  which  exceed  the 
thermal  limits  could  cause  cell  dryout  due  to  excessive  cell  pressure  compromising 
battery  seal  integrity.  Single  point  failures  due  to  improper  thermal  control  are  listed  as 
minimum  cut  sets  6, 7,  and  8. 
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g.  Battery  Monitor 

The  battery  monitor  is  responsible  for  maintaining  an  accurate  estimation  of  the 
condition  of  the  on-board  batteries.  A  failure  of  the  monitor  to  maintain  a  precise 
prediction  could  cause  the  operation  of  a  battery  outside  its  preferred  operating  envelope. 
This  could  lead  to  a  shortened  battery  lifetime.  A  failure  of  the  battery  cell  voltage  and 
current  sensing  circuits  could  cause  the  battery  monitor  to  make  incorrect  estimations.  If 
the  respective  sensors,  addressing  registers,  or  multiplexers  were  to  fail  the  battery 
monitor  would  receive  inaccurate  data.  This  is  listed  as  minimum  cut  sets  9  and  10. 

3.  Double  Point  Failures 

As  the  minimum  cut  set  size  increases,  the  systems  reliability  structural  also 
becomes  more  favorable.  There  are  three  EPS  circuits  which  exhibit  minimum  cut  sets  of 
event  size  two.  These  are  the  launch  switches,  WDT,  and  storage  batteries. 

a.  Launch  Switches 

The  launch  switches,  as  presently  designed,  are  configured  in  two  parallel  strings 
of  two  series  connected  switches  (Fig.  A.l).  Such  a  design  generates  a  minimum  cut  set 
list  that  consist  of  failure  combinations  of  one  switch  from  each  parallel  leg  (minimum 
cut  sets  47-50).  The  four  minimum  cut  set  combinations  are  listed  as  minimum  cut  sets 
47-50. 


b.  Battery 

The  two  parallel  storage  batteries  generate  a  list  of  double  point  failures.  Each 
battery  consist  of  a  number  of  single  point  failures,  but  when  the  battery  system  is 
considered  as  a  combination  of  both  batteries  a  double  point  failure  circuit  is  generated. 
Battery  testing  is  currently  in  progress  to  determine  battery  operating  characteristics.  The 
failure  events  listed  for  the  batteries  are  failure  event  types  common  to  Ni-Cd  batteries. 
Minimum  cut  sets  47-99  list  the  battery  double  point  failures. 
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c.  WDT 


The  most  critical  portion  of  the  WDT  is  the  D  flip-flop  which  switches  power  to 
the  respective  DCS.  As  previously  discussed  as  a  single  point  failure,  if  U27;A  fails  then 
the  system  fails.  This  single  point  failure  can  also  be  described  as  a  double  point  failure 
in  which  both  outputs  (Q  and  Q  bar)  fail  to  a  low  condition.  This  is  listed  as  minimum 
cut  set  105.  It  is  also  possible  for  U27:A  to  fail  in  a  condition  in  which  both  outputs  fail 
to  a  high  condition  (minimum  cut  set  104).  If  this  condition  exists,  then  power  is 
continuously  applied  to  both  DCS  A  and  DCS  B.  The  respective  DCS  have  no  means  to 
communicate  with  each  other.  If  one  DCS  is  operating  it  assumes  it  is  the  only  DCS  that 
is  functioning.  This  can  cause  fatal  operational  control  of  the  spacecraft,  with  the 
respective  DCS's  fighting  over  the  systems  operations.  Scenarios  could  be  easily 
conceived  in  which  the  system  places  itself  into  a  unrecoverable  state  by  one  DCS  placing 
the  system  in  a  given  state  and  the  other  DCS,  assuming  a  different  initial  conditions, 
altering  the  system  state  to  an  unrecoverable  condition.  For  example,  assume  DCS  A  has 
the  system  aligned  in  the  following  conditions  listed  in  Table  4. 

Then  a  failure  to  U27:A  occurs  and  power  is  additionally  applied  to  DCS  B  which 
initializes  the  spacecraft  and  DCS  B  re-configures  the  spacecraft  into  the  listened  mode 
described  in  Table  5  without  the  detection  of  DCS  A. 

DCS  A  will  remain  in  a  listening  mode,  but  will  never  receive  a  signal  due  to  the 
fact  the  configuration  has  been  modified  to  send  the  signal  to  DCS  B.  DCS  B  is  in  a 
listening  mode  waiting  for  NFS  connection  and  operating  system  upload.  When  DCS  A 
does  not  receive  a  signal  after  a  given  period  of  time  it  will  modify  it's  assumed 
configuration,  say  switch  over  to  LNA  #2,  which  secures  power  to  LNA  #1,  applies 
power  to  LNA  #2,  and  switches  RF  S2  and  RF  S4  to  LNA  #2.  Now  no  signal  will  be 
received  by  DCS  B,  for  which  it  will  modify  the  system  configuration.  This  cycle  could 
continue  indefinitely. 
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_ EPS 

Batt.  A  on-line  switch 
closed 

RF  power  switch  on 

TMUX  A/TMUX  B  power 
switch  closed _ 

Ant.  Deployment  1  and  2 
power  switches  open 

MASS  A  and  B  power 
switches  closed 

All  battery  charge  and 
discharge  switches  open 

WDT  U27:A  output  to 


DCS  A 


DCS  A  receive  segment 
lined  up  to  RF 


RF 


Power  applied  to  LNA  #1 
circuit 


RF  S1  selected  to  receive 


RF  S2  selected  to  LNA 


ri _ 

RF  S4  selected  to  receive 
from  LNA  #1 _ 

RF  S5  selected  to  receive 
mixer _ 

RF  S6  selected  to  receive 
mixer _ 

RF  S7  selected  to  receive 


DCS  A 


RF  S8  selected  to  DCS  A 
receive 


Table  4.  DCS  A  System  Configuration 


EPS 

DCSB 

RF 

Battery  A  on-line  switch 
closed 

DCS  B  receive  segment 
lined  up  to  RF 

Power  applied  to  LNA  #1 
circuit 

RF  power  switch  on 

RF  SI  selected  to  receive 

TMUX  A  and  TMUX  B 
power  switch  closed 

RF  S2  selected  to  LNA 
#1 

Ant.  Deployment  1  and  2 
power  switches  open 

RF  S4  selected  to  receive 
from  LNA  #1 

MASS  A  and  B  power 
switches  closed 

RF  S5  selected  to  receive 
mixer 

All  battery  charge  and 
discharge  switches  open 

RF  S6  selected  to  receive 
mixer 

WDT  U27:A  output  to 
DCSB 

RF  S7  selected  to  receive 

RF  S8  selected  to  DCS  B 
receive 

Table  5.  DCS  B  System  Configuration 
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Another  critical  system  operation  could  occur  in  the  mass  storage  devices  with  the 
competing  DCS  microprocessors'  overwriting  essential  data  used  for  the  other  micro¬ 
processor  specific  computations. 

4.  Triple  Point  Failures 

a.  Solar  Panels 

The  structural  reliability  of  the  solar  panels  have  been  increased  by  adding  a 
second  line  from  the  solar  panels  to  the  EPS  power  bus,  both  for  the  line  and  return  lines. 
There  are  fuses  at  each  end  of  the  power  lines  to  prevent  a  fault  (i.e.,  power  line  to  ground 
short)  from  grounding  out  the  solar  panel  and/or  the  raw  power  bus.  This  design 
generates  the  minimum  cut  sets  103-1 10.  There  in  actuality  would  be  8  minimum  cut  sets 
for  each  solar  panel,  but  only  one  solar  panel  was  included  in  the  fault  tree  due  to 
software  limitations. 

b.  Battery 

Blocking  diodes  on  the  output  of  each  battery  prevent  uncontrolled  battery 
charging.  If  the  diodes  were  to  open  then  no  current  could  flow  from  the  battery  to  the 
raw  power  bus.  Increased  structural  reliability  was  accomplished  by  placing  two  diodes 
in  parallel  on  the  output  of  each  battery.  Minimum  cut  sets  of  size  3  are  therefore  found 
by  having  both  diodes  of  one  battery  fail  concurrent  with  a  critical  failure  in  the  other 
battery.  These  are  listed  as  minimum  cut  sets  111-124. 

5.  Quadruple  Point  Failures 

a.  Battery 

As  discussed  above,  both  batteries  have  two  blocking  diodes  in  parallel  on  their 
output.  Therefore  one  possible  failure  scenario  is  if  all  four  diodes  were  to  fail  open. 

This  is  minimum  cut  set  125. 
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6.  Improvements 

During  the  process  of  synthesizing  the  fault  tree  for  the  EPS  several  design 
modifications  have  been  made  which  have  increased  the  subsystem  reliability.  These 
issues,  along  with  some  further  suggestions,  are  discussed  here  to  provoke  further  thought 
in  design  enhancement  considerations. 


a.  Launch  Switches 

The  PANSAT  design  exceeds  the  safety  requirement  mandated  by  NASA  with 
the  use  of  the  parallel  launch  switch  design  (Fig.  A.1)  for  launch  from  the  space  shuttle. 
The  NASA  requirement  stipulates  two  series  connected  switches  to  prevent  powering  up 
the  system  and  possible  radiation  of  electro-magnetic  energy  from  the  satellites 
communication  subsystem  while  still  in  the  shuttle  cargo  bay.  The  parallel  switch  design 
effectively  doubles  the  reliability  of  the  launch  switch  circuit.  Further  analysis  has 
revealed  that  the  circuit  reliability  can  be  further  strengthened  at  no  cost  or  major  design 
modifications.  Figure  21  illustrates  the  modification  of  the  present  design  by  placing  a 
single  wire  between  the  junctions  of  the  series  connected  switches.  The  NASA 
requirement  of  two  switches  connected  in  series  from  the  power  source  to  the  load  is  still 
satisfied. 


Figure  21 .  Alternate  Launch  Switch  Configuration 
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The  current  design  results  in  four  minimum  cut  sets  of  size  two  failure  events. 
The  alternate  configuration  (Fig.  21)  results  in  a  much  more  stringent  launch  switch 
configuration  design.  The  minimum  cut  sets  for  the  alternate  design  are  listed  in  Table  6. 
The  event  type  "circle"  refers  to  a  basic  component  failure,  in  this  case  it  is  the  launch 
switch  failure  in  the  open  position. 

The  system  stracture  functions  for  the  launch  switch  circuits  can  be  derived 
using  equations  10  and  1 1  to  the  current  and  alternate  launch  switch  configurations 
shown  below.  If  the  switches  are  assumed  to  be  independent  and  identical  then  the 
reliability  function  can  also  be  derived.  Functions  with  a  subscript  of  the  letter  C  are  a 
reflection  of  the  current  launch  switch  design  configuration,  and  those  subscripted  by  the 
letter  A  relate  to  the  alternate  configuration.  Derivation  of  the  following  results  are 
similar  to  the  example  problems  provided  in  Chapter  III. 


(1)  Current  Configuration 

K1  =  SiU  S13;  K2  =  SiU  S14;  K3  =  SaU  S13;  K4  =  S2IJ  S14 
4 

^c(s)  =  n  Ki  =  S]S2  +  S13S14  -S1S2S13S14 
i=l 

W  =  P1P2  +  P.3P14  -  P1P2P13P14  =  V  -  p' 

Ih,(i)  =  p  -  p^  (Since  all  switches  are  assumed  identical) 

(2)  Alternate  Configuration 

Ki  =  SiU  S13;  K2  =  S2T  T  Si4 

^a(s)  =  S1S2  +  S1S14  +  S2S13  +  S13S14  —  S1S2S13  —  S1S2S14  —  S1S13S14  —  S2S13S14  +  SiS2Si3Si. 

hA(p)  =  4p^V  +  p' 

IhA(i)  =  2p-3p2+p3 

If  the  alternate  configuration  is  more  reliable,  then  the  reliability  function  for  the 
alternate  configuration  must  be  greater  than  the  reliability  function  for  the  current 
configuration  for  all  reliability  values,  p,  of  the  launch  switch  (each  switch  is  assumed 
identical). 
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Hypothesis: 

hA(P)^hc(p) 

Proof: 

hA(P)  =  4p^  -  4p^  +P''  2:2p^  -  p^  =  hc(p) 

2p^  -  4p^  +  2p^  >0 

2pV-2p+l)^0 

2p^(p  - 1)^>  0  for  all  0<p<  1 

- - - - - - - — - 1 

Min  Cut  Set  Event  Type  Description 

Size 

2  events  _ CIRCLE _ S2  Failure _ 

CIRCLE  S14  Failed _ 

2  2  events  _ CIRCLE _ S1  Failure _ 

S13  Failed _ 

3  3  events  CIRCLE _ S13  Failure _ 

CIRCLE  S1  Failure _ 

~  CIRCLE  S14  Failed _ 

4  3  events  _ CIRCLE _ S13  Failure _ 

_ CIRCLE _ S1  Failure _ 

CIRCLE  S2  Failed _ 

5  3  events  _ CIRCLE _ S14  Failure _ 

~  CIRCLE  S2  Failure _ 

~  CIRCLE  S1  Failed _ 

6  3  events  _ CIRCLE _ S14  Failure _ 

CIRCLE  S2  Failure _ 

I  CIRCLE  I S1 3  Failed 

Table  6.  Alternative  Launch  Switch  Configuration  Minimum  Cut  Sets 

Therefore  the  alternate  configuration  is  more  reliable  at  the  cost  of  a  small 
wire  connecting  the  switches.  The  ratio  of  the  reliability  functions  will  give  a  good 
indication  of  the  relative  value  of  the  alternate  configuration.  As  the  individual  switch 

reliability  (p)  approaches  one,  the  ratio  also  approaches  one. 
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Min  Cut  Set 

i 


hA(p)  _  4p^  -  4p^  +  p"*  _  (p  -  2f 
hc(p)  2p2-4p^  2-p2 


b.  Blocking  Diodes 

(1)  Battery  Blocking  Diodes.  A  preceding  EPS  design  used  one  output 
blocking  diode  from  each  battery  to  the  raw  power  bus.  Using  an  approach  similar  to  the 
above,  it  can  be  shown  the  reliability  for  the  blocking  diode  circuit  increases  from  a  value 
of  p  to  a  value  of  2p-p^.  This  will  increase  the  reliability  of  the  diode  circuit  for  all 
reliability  values  p. 

(2)  Solar  Panel  Blocking  Diodes.  The  approach  to  dual  blocking  diodes  used 
for  the  battery  can  also  be  applied  to  the  solar  panel  and  elsewhere  in  the  EPS  design 
where  appropriate  space  availability  exist.  This  is  a  critical  component  for  the  solar 
panels  and  could  be  incorporated  into  the  design  at  a  relatively  low  cost. 

c.  Power  Switching  Control  Circuits 

The  power  switching  logic  circuits  on  the  EPS  logic  board  are  single  point 
failure  items  for  the  system.  The  distribution  of  load  assignments  to  the  power  switching 
control  registers,  U21  and  U22,  are  shown  in  Fig.  A.3.  All  similar  type  loads  are 
controlled  off  the  same  register.  The  failure  of  one  register  would  prevent  the  use  of  both 
redundant  subsystem  circuits.  The  loads  for  U21,  for  example,  control  all  the  switches 
for  charging,  discharging,  and  placing  on-line  both  batteries.  If  U21  were  to  fail,  then  no 
battery  switch  would  be  functional,  and  would  cause  a  critical  failure.  In  order  to  help 
reduce  the  possibility  of  a  single  point  upset  by  the  failure  of  one  register,  like  subsystem 
components  should  be  controlled  off  separate  registers  (i.e.,  MASS  A  controlled  by  U21 
with  MASS  B  controlled  by  U22).  Additionally,  all  the  switches  for  a  particular  battery 
must  be  controlled  off  the  same  register  to  prevent  a  similar  type  failure  scenario  with  the 
present  design. 
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Consideration  for  failure  modes  which  place  the  spacecraft  in  a  configuration  in 
which  two-way  communication  with  the  satellite  is  not  possible  should  be  addressed  in 
the  operating  system  architecture.  To  prevent  the  spacecraft  from  re-configuring  to  a 
failed  alignment,  particularly  after  an  upsetting  event  has  caused  a  system 
re-initialization,  a  log  of  the  systems  configuration  should  be  maintained  within  the  flash 
memory  of  the  mass  storage  devices. 

The  ability  to  verify  system  commands  could  be  beneficial  to  the  satellites  self 
diagnostics  capability  and  a  basis  for  critical  failure  mode  prevention.  If  the  satellite 
possessed  the  ability  to  recognize  the  systems  failure  to  correctly  respond  to  commands  it 
has  ordered,  it  could  re-configure  to  an  acceptable  configuration  before  a  critical  failure 
event  has  occured,  and  allow  further  analysis  to  be  conducted  by  the  ground  station. 

d.  Antenna  Deployment  Circuitry 

Detailed  failure  analysis  of  the  communication  signal  beam  pattern  has  not  been 
studied  for  a  failure  scenario  in  which  a  portion  or  all  of  the  antenna  circuits’  four  dipole 
antennas  fail  to  release.  A  second  power  switch  was  added  to  the  design  to  help  ensure 
the  deployment  of  the  antennas.  The  additional  switch  feeds  a  common  antenna 
deployment  circuit  consisting  of  heaters  to  burn  the  antenna  restraints.  A  failure  in  the 
antenna  deployment  circuit  would  still  prevent  a  controlled  antenna  release.  A 
deployment  circuit  with  parallel  switches  connected  in  this  configuration  also  risks  the 
possibility  of  a  contingency  redundancy  failure  of  the  switches.  True  circuit  redundancy 
is  only  possible  if  the  circuits  are  independent  of  each  other. 

e.  Solar  Panel  Wiring  And  Fusing 

Redundant  power  lines  (both  supply  and  return)  from  the  solar  panels  to  the  EPS 
power  board  have  been  added  to  prevent  the  break  in  one  line  from  isolating  a  solar  panel. 
Additionally,  fuses  at  each  end  of  the  supply  line  are  provided  to  prevent  a  short  from 
grounding  out  the  panel. 
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/.  Power  Switch  Fusing 

Fuses  at  the  input  of  each  power  switch,  with  the  exception  of  the  RF  power 
switch,  have  been  added  to  prevent  a  short  in  a  subsystem  grounding  out  the  entire 
spacecraft  power  bus. 

g.  +5  Volt  Power  Supply 

The  +5  volt  power  supply  performs  a  crucial  role  in  the  performance  of  the 
spacecraft.  Used  for  most  control  circuits,  it's  failure  in  any  way  will  cause  a  critical 
failure.  Minimum  cut  sets  relating  to  the  +5  volt  power  supply  failure  was  listed 
conservatively  16  times  for  the  EPS  portion  of  the  fault  tree  alone.  Although  there  is  a 
redundant  power  supply,  the  susceptibility  of  the  design  to  a  contingency  redundancy 
failure  should  not  be  overlooked.  Further  analysis,  using  quantitative  analysis,  is 
necessary  to  validate  the  power  design  configuration. 

h.  PCS 

The  PCB  is  the  vital  communication  and  power  distribution  link  between  the 
subsystems  and  peripherals.  A  single  failure  (e.g.,  break  in  a  power  line  from  the  EPS) 
could  permanently  secure  operations.  Short  of  making  a  redundant  PCB,  which  defeats 
the  compact  design  of  the  PCB,  only  stringent  quality  control  of  the  PCB  fabrication  and 
installation  can  help  mininndzed  the  failure  of  the  physical  bus.  Although  the  PCB 
interface  circuits  are  radiation  hardened,  there  is  no  redundancy  provided  for  any  circuit 
interface. 


L  WDT 

Any  failure  condition  of  the  WDT,  particularly  U 1  and  U27;  A,  will  result  in  a 
critical  failure.  If  the  circuit  was  to  fail  in  a  condition  in  which  both  DCS  A  and  DCS  B 
are  powered,  then  the  system  must  be  intelligent  enough  to  detect  and  responded  in  a 
manner  to  maintain  the  system  operational.  One  possible  solution  is  to  reserve  a  given 
memory  location  in  the  mass  storage  devices  for  the  operational  DCS  to  access.  If  a  DCS 
is  functioning,  then  it  would  periodically  read  that  memory  location  contents  for  it's 
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unique  identification  flag.  If  the  memory  location  did  not  possess  it's  flag,  but  instead 
contained  the  flag  of  the  other  DCS,  as  would  be  the  case  if  both  DCS  were  accessing  the 
location,  then  it  would  reset  the  flag.  If  the  flag  had  been  altered  at  the  time  of  it's  next 
access,  it  would  then  go  into  a  standby  condition  and  allow  the  other  DCS  to  control  the 
spacecraft.  This  standby  mode,  for  example,  could  be  the  continuous  calculation  of  the 
value  of  pi  to  keep  the  microprocessor  busy.  The  other  DCS  must  also  detect  the  other 
DCS  status  and  make  that  report  in  the  telemetry  stream  to  the  ground  station. 

j.  Battery 

The  battery  must  be  periodically  reconditioned  using  controlled  battery 
discharge  and  charging  procedures.  This  will  increase  battery  lifetime  and  also  result  in 
resetting  the  battery  monitor  to  a  known  condition  of  battery  status. 

B.  RF 

The  RF  subsystem  fault  tree  was  constructed  utilizing  the  block  diagram  (Fig.  B.l). 
The  respective  switch  designations  (i.e.,  RF  SI  through  RF  S9)  are  unique  to  this  analysis 
only.  These  may  not  correlate  to  the  designations  used  by  the  subsystem  designer  in 
future  schematics.  The  RF  subsystem  is  designed  with  redundant  circuits  and  selective 
switching  circuits  to  route  the  signals.  This  makes  the  application  of  the  signal  routing 
switches  the  critical  failure  points  for  the  design.  The  reliability  of  the  switching  circuits 
and  the  control  system  must  be  carefully  evaluated  to  ensure  the  reliability  of  the  system 
is  actually  enhanced  by  the  use  of  similar  redundant  systems. 

The  analysis  data  derived  from  the  fault  tree  for  the  RF  subsystem  is  contained  in 
appendix  B.  The  failure  events  for  the  RF  subsystem  are  listed  in  Table  B.l  with  a  brief 
description  of  the  component  function  or  failure  effect.  The  event  numbers  correlate  to 
the  event  number  listed  on  the  leaves  of  the  fault  tree. 

1.  Minimum  Cut  Sets 

There  are  1 14  minimum  cut  sets  (Table  B.2)  for  the  RF  subsystem  portion  of  the 
fault  tree.  Minimum  cut  sets  of  size  1  (single  point  failures)  contribute  to  90  of  the  1 14 
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minimum  cut  sets.  The  majority  of  the  event  types  are  listed  as  a  "diamond"  event  (Fig. 
15),  as  described  in  Chapter  III.  This  indicates  that  further  evaluation  of  the  event  is 
possible  but  is  not  conducted  here.  This  may  be  due  to  the  fact  no  additional  information 
could  be  derived  by  further  breaking  down  the  design,  the  immaturity  of  the  design,  or 
due  to  analysis  time  limitations. 

2.  Single  Point  Failures 

The  prevalent  single  point  failure  events  involved  the  signal  routing  switches  in  the 
RF  subsystem,  from  the  antenna  to  the  respective  portions  of  a  DCS  modem.  The  other 
single  point  failure  events  consider  antenna  and  power  supply  failure  scenarios. 

a.  Signal  Routing  Switches 

There  are  63  single  point  failures  corresponding  to  the  switch  operations  alone. 
There  are  7  single  point  failure  events  listed  for  each  of  the  9  RF  signal  routing  switches. 
The  issues  concerning  a  switch  failure  include  switch  component  failures,  command  bus 
failures,  command  addressing  logic  failures,  command  signal  format  problems,  and 
power  distribution  from  the  respective  power  buses  to  the  circuits.  The  failure  events  for 
RF  switch  #3  (Fig.  B.  1),  for  example,  are  listed  as  minimum  cut  sets  1 1-17.  Two  of  the 
switches,  RF  S 1  and  RF  S2,  are  mechanical  switches  and  thus  subject  to  the  additional 
failure  mode  of  mechanical  wear.  The  switch  failure  events  themselves  have  not  been 
addressed  in  significant  detail  due  to  time  constraints. 

Since  the  signal  routing  switches  are  common  and  necessary  option  for  parallel 
circuit  operation  with  the  given  design,  they  could  also  be  listed  as  a  part  of  a  double 
point  failure  minimum  cut  set.  This  is  because  the  switch  failure  position  can  be  one  of 
several  modes.  It  could  fail  in  a  condition  in  which  it  could  not  route  the  signal  in  either 
direction  (i.e.,  RF  S2  could  not  route  signal  to  LNA  #1  or  LNA  #2),  in  which  it  would  be 
a  single  point  failure.  The  switch  could  also  fail  in  a  condition  in  which  it  could  only 
route  the  signal  through  one  path  (i.e.,  LNA  #1)  so  that  an  additional  critical  failure  event 
in  the  path  selected  by  the  failed  switch  would  be  required  for  a  critical  failure. 
Additionally,  if  the  switch  was  common  to  both  the  receive  and  transmit  circuits  (i.e.,  RF 
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S 1,  RF  S4,  RF  S5,  RF  S6,  or  RF  S7)  then  it's  failure  may  diminish  the  satellite  to  a  given 
operational  function  (i.e.,  transmit  or  receive).  If  that  were  true,  then  the  system  would  be 
functionally  inoperable,  lending  itself  as  a  critical  failure. 

b.  Antenna 

The  critical  failure  events  associated  with  the  antenna  circuits,  which  include  the 
antenna,  impedance  matching  transformers,  interconnections,  and  the  bandpass  filter, 
consider  the  events  which  diminish  the  communication  signal  to  noise  ratio.  Minimum 
cut  sets  32-45,  54,  and  55  are  concerned  with  signal  grounding,  degraded  signal  path 
characteristics,  and  component  failures.  For  the  antenna  circuit  the  key  to  it's  successful 
operation  is  inherent  to  quality  fabrication  and  system  interface. 

c.  Power  Supply 

The  RF  subsystem  electrical  power  concerns  are  associated  with  the  distribution 
of  power  from  the  PCB  interface  for  the  RF  subsystem.  Using  both  power  from  the  -i-5 
volt  bus  for  PCB  interface  and  command  signal  processing,  the  local  +5  volt  bus  is  as 
important  to  the  RF  subsystem  as  it  was  to  the  EPS. 

Raw  power  from  the  EPS  is  locally  conditioned  (regulated)  for  use  by  the  RF 
subsystem  components.  A  critical  failure  event  to  the  local  power  buses  will  cause  a 
system  failure. 

3.  Double  Point  Failures 

There  are  24  minimum  cut  sets  consisting  of  2  failure  events  for  the  RF  subsystem. 
Since  there  are  only  a  few  circuits  which  constituted  the  subsystem,  and  most  circuits  are 
redundant,  there  are  only  a  few  double  point  failures  listed  for  this  analysis. 

a.  Antenna  Deployment 

The  failure  of  the  antenna  to  properly  deploy,  whether  it  be  during  controlled 
deployment  efforts  during  the  launch  and  initialization  phase  or  fails  to  manually  deploy 
following,  may  be  a  critical  failure  mode.  Detailed  analysis  of  antenna  beam  patterns 
with  the  dipole  antennas  housed,  or  partially  deployed,  must  be  conducted  to  determined 
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if  a  sufficient  signal  to  noise  ratio  can  be  supported.  Minimum  cut  set  number  102  list 
low  battery  power  a  causation  for  the  antenna  failing  to  release.  This  may  not  actually  be 
a  viable  cause  since  battery  power  is  not  relied  upon  as  a  power  source  for  antenna 
deployment. 

b.  Amplifiers 

There  are  two  HPA  circuits,  each  consisting  of  two  cascaded  power  amplifiers. 
Any  two  combinations  of  a  amplifier  from  each  HPA  will  prevent  signal  transmission. 
These  are  listed  as  minimum  cut  sets  91-95. 

Each  of  the  two  LNA’s  contain  one  amplifier  circuit.  This  requires  both  LNA’s 
to  fail,  or  one  LNA  failure  coupled  with  an  associated  switch,  RF  S2  or  RF  S4,  failure. 

c.  Intermediate  Frequency  (IF)  Circuits 

The  signal  conversion  from  pass  band  to  IF,  or  vice  versa,  takes  place  in  one  of 
two  frequency  conversion  circuits.  Each  circuit  consist  of  a  signal  mixer  and  dedicated 
local  oscillator  (LO).  The  LO  can  prevent  operations  by  either  component  failure  or 
significant  frequency  drift. 

4.  Improvements 

The  prevalent  concern  from  a  reliability  structure  of  the  RF  subsystem  originates 
with  the  signal  routing  structure.  Both  component  and  command  signaling  concerns 
dominate  the  signal  path  issues.  Although  it  is  not  easy  to  expose  the  true  reliability 
weakness  of  the  design  without  assigning  quantitative  values,  a  more  reliable  system  may 
be  one  which  consist  of  only  a  few  necessary  switches. 

C.  DCS 

The  DCS  was  the  subsystem  which  received  the  least  attention  due  to  time 
limitations.  The  analysis  therefore  should  not  in  the  least  be  considered  detailed  or 
complete.  All  the  data  derived  for  the  DCS  portion  can  be  found  in  appendix  C.  The 
system  failure  events,  listed  in  Table  C.l,  are  not  at  all  detailed,  considering  only  very 
generic  failure  scenarios.  There  are  55  minimum  cut  sets  for  the  DCS  and  are  listed  in 
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Table  C.2.  A  block  diagram  (Fig.  C.  1)  was  used  to  construct  the  DCS  portion  of  the  fault 
tree. 

Since  the  fault  tree  was  constructed  at  a  very  generic  level,  the  majority  of  the 
failure  events  result  in  single  point  failure  conditions.  There  are  54  single  point  failures 
listed  for  the  DCS.  Each  failure  event  is  a  circuit  malfunction.  There  is  one  double  point 
failure  and  it  refers  to  the  peripheral  mass  storage  device  failures. 

A  more  thorough  analysis  of  the  DCS  is  required  to  generate  any  constructive 
analysis  data  which  has  not  yet  been  already  discussed  in  the  previous  sections. 
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V.  SUMMARY 


Sound  system  management  requires  the  exploitation  of  all  relevant  analytical 
capabilities  to  ensure  the  most  reliable  system  is  deployed.  Essential  to  the  design 
architecture  of  any  system  is  the  effort  to  minimize  all  system  failure  modes.  The 
principal  theme  of  this  thesis  has  been  to  identify  the  critical  failure  modes  for  the 
PANSAT  EPS,  DCS,  and  RE  subsystems  using  fault  tree  analysis  to  permit  architectural 
modifications  that  are  essential  to  meeting  the  systems  operational  lifetime  requirements. 

Continuous  maintenance  of  the  fault  tree  is  required  if  it  is  to  be  of  continuing 
benefit  in  the  design  process  and  helpful  in  explaining  the  cause  of  system  anomalies 
during  test  and  flight. 

Significant  weak  points  in  the  design  have  been  identified  and  should  be  the  topic 
of  further  design  modifications  and  analysis.  This  will  require  further  detailed  modeling 
and  assessment  efforts. 

A.  SYSTEM  RECOMMENDATIONS 

The  analytical  efforts  discussed  in  chapter  4  indicate  the  design  concerns  which 

should  be  considered.  The  most  prevalent  questions  that  require  attention  follow: 

1.  The  +5  volt  power  supply  reliability  and  its  susceptibility  to  a  contingent 
failure  are  of  great  concern.  This  critical  circuit  effects  each  subsystem  in  a  very 
critical  manner.  Detailed  analysis  of  the  present  design,  as  well  as  alternative 
designs  should  be  evaluated  to  enhance  the  circuits  reliability. 

2.  The  PCB  is  the  artery  that  supports  the  entire  spacecraft.  If  it  is  severed  in  any 
manner,  then  the  spacecraft  is  sure  to  experience  a  critical  failure. 

3.  Command  switching  operations  are  a  necessary  function  of  the  system  due  to 
the  design  structure.  The  EPS  and  RF  subsystems  both  rely  upon  intelligent 
switching  operations  to  complete  their  mission.  The  system  is  not  presently 
capable  of  making  an  informed  evaluation  of  its  state  (i.e.,  switch  positions). 
Consequently,  historical  command  data  must  be  relied  upon  to  reconfigure  the 
spacecraft  for  each  operation. 

4.  The  EPS  logic  board  consists  of  circuits  with  no  redundancy.  Almost  without 
exception  each  component  could  cause  a  critical  failure.  Circuits  that  perform 
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redundant  operations  should  not  be  linked,  if  all  possible,  through  a  single  point 
failure.  For  example,  redundant  components  should  not  be  addressed  through  the 
same  addressing  register  for  switch  control  operations. 

5.  The  launch  switch  circuit,  in  its  present  configuration,  constitutes  a  system  that 
has  an  equivalent  minimum  cut  set  representation  of  size  two  event  elements. 
Although  this  is  more  structurally  secure  than  the  single  point  failure  events,  it  has 
been  proven  that  at  the  cost  of  a  short  wire  the  circuit  can  be  made  more  reliable. 

6.  The  energy  storage  batteries  being  flown  aboard  the  spacecraft  are  not  space 
qualified.  It  is  important  for  the  endurance  and  survivability  of  the  batteries  that 
they  be  operated  within  operational  bounds  and  placed  on  a  stringent  maintenance 
schedule. 

7.  Detailed  evaluation  of  all  switches,  both  mechanical  and  electronic,  should  be 
carefully  studied  to  determine  their  respective  reliability.  For  a  given  system  it 
may  be  more  appropriate  to  simplify  the  design  and  not  rely  upon  sophisticated 
signal  routing. 

8.  Testing  and  subsystem  integration  procedures  are  important  elements  to  help 
minimize  some  of  the  failure  events  listed  in  the  fault  tree.  Assessment  of 
external  stresses  (i.e.,  structural  and  thermal  stress)  upon  the  spacecraft,  and  the 
order  of  their  occurrence,  can  have  dramatic  effect  on  the  system  reliability 
performance.  An  example  of  such  stress  would  be  thermal  expansion  that  causes 
broken  component  leads  and  connections.  Thermal  excursions  can  affect  the 
reliability  of  components,  and  must  be  considered  when  evaluating  the 
components  reliability.  Stress  screen  testing,  typically  performed  by  the  vendor, 
of  electronic  components  is  an  effective  tool  to  minimize  electronic  circuit 
component  failures. 


B.  SYSTEM  RELIABILITY  MANAGEMENT 

A  severe  weak  point  in  the  PANSAT  program  has  been  its  cursory  approach  to 
reliability  analysis.  The  absence  of  a  coherent  reliability  program  that  supports  the  design 
process  has  resulted  in  a  program  with  no  analytical  basis.  This  would  not  be  permitted 
in  any  commercial  or  defense  contractor  program. 

This  thesis  has  been  the  lead  reliability  analysis  of  the  program,  and  has  occurred  at 
a  late  stage  of  the  systems  design  lifecycle.  There  are  numerous  publications  that  outline 
how  a  reliability  program  is  incorporated  into  a  systems  design  and  operational  cycle. 

Several  military  standard  (MIL-STD)  publications  are  available  that  deal  directly  with  the 
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programmatic  structure  a  reliability  program  should  embrace.  These  are  briefly  discussed 
to  promote  further  thought  by  systems  management  personnel. 

1.  Reliability  Program  for  Systems  and  Equipment  Development  and 

Production  (MIL  -STD-785) 

This  standard  provides  the  general  requirements  and  specific  tasks  for  reliability 
programs  during  the  development,  production,  and  initial  deployment  of  systems  and 
equipment  [Ref.  11].  Designed  for  use  by  Department  of  Defense  (DoD)  contractors,  it 
provides  the  guidelines  for  effectively  designing,  managing  control,  and  reliability 
maintenance  essential  for  a  reliability  program. 

2.  Reliability  Program  Requirements  for  Space  and  Launch  Vehicles 

(MIL-STD-1543) 

This  standard  is  similar  to  MIL-STD-785  but  is  tailored  specifically  for  the  DoD 
space  systems  contractor.  Detailed  requirements  of  reliability  design  reviews,  reliability 
modeling  requirements,  testing,  and  corrective  action  review  boards  are  provided  to 
integrate  the  reliability  and  design  processes  [Ref.  12]. 

3.  Procedures  for  Performing  a  Failure  Mode,  Effects  and  Criticality  Analysis 
(MIL-STD-1629) 

This  standard  establishes  the  requirements  and  procedures  to  perform  a  failure 
mode,  effects,  and  criticality  analysis  (FMECA).  This  tool  could  be  used  to 
systematically  evaluate  and  document  the  potential  impact  of  each  functional  and 
hardware  failure  on  mission  success,  safety,  performance,  maintainability,  and 
maintenance  requirements  [Ref.  13].  The  use  of  FMECA  is  typically  used  as  a 
management  and  reliability  assessment  tool  for  program  design  reviews. 

C.  FOLLOW  ON  STUDY 

The  need  for  reliability  analysis  assessment  has  become  increasingly  evident  as  the 
thesis  effort  has  progressed.  Several  issues  that  need  to  be  explored  for  the  PANSAT 

program  and  any  follow  on  program  are  listed  below; 
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1.  More  detailed  analysis  of  specific  subsystems  and  circuits  is  required. 

Although  a  significant  amount  of  analytical  information  was  uncovered,  only  the 
ground  work  has  begun  on  this  topic.  There  is  an  abundant  amount  of  data  that 
could  be  investigated  to  enhance  the  design  process. 

2.  A  detailed  reliability  management  plan  should  be  created  and  complied  with  in 
order  to  head  off  problems  early  in  the  design  cycle.  This  will  help  ensure  that 
key  reliability  issues  are  addressed  right  from  the  programs  inception.  This  goal 
could  expand  the  realm  of  the  programs  involvement  to  include  students  and  staff 
from  the  Operations  Research  Department  (OR),  where  experience  and 
involvement  in  similar  programs  dealing  with  these  types  of  issues  are  in  progress. 

3.  As  the  design  reaches  maturity,  a  quantitative  analysis  modeling  of  the  system 
could  provide  useful  insights  to  the  missions  reliability  state. 

4.  The  fault  tree  constructed  for  this  thesis  must  be  continuously  updated  and 
built  upon  as  the  design  changes  and  matures.  It  is  strongly  recommended  that 
this  task  be  assigned  to  a  program  engineer. 
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APPENDIX  A.  ELECTRICAL  POWER  SUBSYSTEM 

FAULT  TREE  ANALYSIS 


This  appendix  contains  the  raw  data  for  the  FTA  of  the  EPS.  Figures  A.  1  through 
A.9  are  EPS  schematic  diagrams.  The  EPS  failure  end  events  are  listed  in  Table  A.  1  and 
Table  A.2  lists  the  EPS  minimum  cut  sets  generated  by  the  FaultrEASE  fault  tree 
software  program  for  the  PANSAT  fault  tree  in  Appendix  D. 

The  minimum  cut  sets  were  generated  using  a  direct  evaluation  technique  employed 
by  the  fault  tree  software  program.  The  basic  end  events  were  compared  by  their 
description  label  contents. 


77 


Launch 

Switches 


8Z 


LUBjBeia  >|oo|g  Sd3  l-'V  9-in6y 


Figure  A.2  EPS  +5  Volt  Power  Supplies 
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Figure  A.4  EPS  Electronic  Power  Switching  Circuits 
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D17 


PERIPHERAL  CONTROL  BUS 


Description 

Notes 

Experimental  Current 
Sensor  Failure 

A  current  sensor  is  located  between  the  solar  panel 
and  the  launch  switches  for  each  of  the  8  solar  panels 
in  the  solar  panel  illumination  experiment  (SPIE). 

Experimental  Connection 
Broken 

Broken  power  connection  from  an  SPIE  solar  panel 
to  the  raw  power  bus. 

Experimental  Line  1  SP 
Fuse  Blows 

Blown  line  1  fuse  at  the  SPIE  solar  panel  end 
(connection  of  each  solar  panel  is  made  with  two 
separate  lines,  with  each  line  having  two  fuses,  one  at 
the  solar  panel  end  and  one  at  the  EPS  raw  bus  end). 

Experimental  Line  1  EPS 
Fuse  Blows 

Blown  line  1  fuse  at  the  SPIE  EPS  end. 

Experimental  Line  2  SP 
Fuse  Blows 

Blown  line  2  fuse  at  the  SPIE  solar  panel  end. 

1 .6  Experimental  Line  2  EPS 
Fuse  Blows 

1 .7  Experimental  S/P 
Blocking  Diode  Fails 
Open 


1.8  Experimental  Panel  String 
Broken 

1.9  Connection  Broken 


1.10  Line  1  SP  Fuse  Blows 


Line  1  EPS  Fuse  Blows 


Line  2  SP  Fuse  Blows 


Line  2  EPS  Fuse  Blows 


Blown  line  2  fuse  at  the  SPIE  EPS  end. 

Each  SPIE  solar  panel  has  a  blocking  diode 
connecting  the  solar  panel  to  the  EPS  raw  power  bus 
to  prevent  reverse  current  flow  through  a  non-power 
producing  solar  panel.  If  the  diode  fails  open  then  no 
power  would  be  available  from  the  solar  panel. 

Each  SPIE  solar  panel  consist  of  32  series  connected 
solar  cells.  If  the  connections  between  the  cells  or  a 
cell  fails  open  then  the  solar  panel  is  ineffective. 

Same  as  1.2  for  remaining  solar  panels. 


Same  as  1.3  for  remaining  solar  panels. 


Same  as  1.4  for  remaining  solar  panels. 
Same  as  1.5  for  remaining  solar  panels. 


Same  as  1.6  for  remaining  solar  panels. 


1.14 

Solar  Panel  Blocking 
Diode  Fails  Open 

Same  as  1.7  for  remaining  solar  panels. 

1.15 

Panel  String  Broken 

Same  as  1.8  for  remaining  solar  panels. 

1.16 

SI  Failed 

Launch  switch  connecting  the  solar  panels  and 
batteries  to  the  raw  power  bus. 

1.17 

S13  Failure 

Launch  switch  connecting  the  solar  panels  and 
batteries  to  the  raw  power  bus. 

1.18 

S14  Failure 

Launch  switch  connecting  the  solar  panels  and 
batteries  to  the  raw  power  bus. 
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Event 

Description 

Notes 

1.19 

S2  Failed 

Launch  switch  connecting  the  solar  panels  and 
batteries  to  the  raw  power  bus. 

1.20 

Batt  A  Cell 

Inter-connection  Broken 

Broken  connection  between  the  10  series  connected 
type  D  Ni-Cd  battery  cells  comprising  battery  A. 

1.21 

Batt  A  Cell  Internal 
Connection  Broken 

Broken  power  connection  internal  to  each  type  D 
Ni-Cd  cell  (e.g.,  between  battery  plates  and  the  cell 
terminals). 

1.22 

Batt  A  Cell  Reversal 

Battery  cell  condition  where  the  cell  becomes  a  powei 
load  and  causes  cell  polarity  reversal. 

1.23 

Batt  A  Plate  Degradation 

Battery  cell  plate  degradation  to  point  the  cell  is  not 
able  to  hold  a  charge. 

1.24 

Faulty  Temp  Sensing 
System  (TMUX) 

A  temperature  sensing  circuit  failure  could  cause  a 
battery  over  temperature  condition.  If  the 
temperature  becomes  high  enough  battery  explosion 
or  pressure  seal  blow-by  could  occur. 

1.25 

Improper  Passive  Thermal 
Control 

Battery  box  thermal  conditions  exceed  expected 
conditions  due  to  improper  passive  thermal  control 
and  cause  event  conditions  of  1.24. 

1.26 

Insufficient  Operator 
Action 

Ground  control  operation  fail  to  take  timely  actions  to 
correct  improper  battery  thermal  conditions  causing 
high  temperature  operations  (this  may  be  a  flag  to  a 
separate  event  failure). 

1.27 

Batt  A  Improper  Charge 
Rates 

If  batteries  are  not  maintained  in  accordance  with 
operating  specifications  for  charging  and  discharging 
rates,  then  battery  life  could  be  severely  shortened. 

1.28 

Substandard  seal 
construction 

Poor  battery  seal  could  cause  leakage  or  electrolyte 
blow-by  during  battery  gassing  evolutions  and 
evaporation  causing  cell  dryout  (failure). 

1.29 

Battery  Monitor  Failure 

If  battery  monitor  fails  to  maintain  an  effective  status 
measurement  of  battery  conditions  then  continuous 
battery  over-charge  cycles  will  reduce  battery  lifetime 

1.30 

Blocking  Diode  D9  Fails 
Open 

Battery  A  has  two  output  blocking  diodes  (parallel 
redundancy)  to  prevent  uncontrolled  battery  charging. 
Failure  of  blocking  diodes  will  prevent  placing  batterj 
on  service. 

1.31 

Blocking  Diode  D20  Fails 
Open 

See  event  1.30 

1.32 

Battery  "A"  Current 

Current  sensor  failure  could  prevent  current  flow 
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Event  Description  _ Notes 

Sensor  Failure  from  battery  to  raw  power  bus. 

1.33  BattBCell  See  1.20 

Interconnection  Broken 


1.34  Batt  B  Cell  Internal  See  1.21 
Connection  Broken 


1.35 

Sub-standard  Seal 
Construction 

See  1.28 

1.36 

Batt  B  Cell  Reversal 

See  1.22 

1.37 

Batt  B  Plate  Degradation 

See  1.23 

1.38 

Batt  B  Improper  Charge 
Rates 

See  1.27 

1.39 

Battery  Monitor  Failure 

See  1.29 

1.40 

Battery  "B"  Current 

Sensor  Failure 

See  1.32 

1.41 

Blocking  Diode  DIO  Fails 
Open 

See  1.30 

1.42  Blocking  Diode  D28  Fails  See  1.31 
Open 


1.43  CurrentA^oltage  Sensing  Failure  would  cause  the  inability  to  monitor  cell 
Ckt  Failure  U25/U26  voltages  and  battery  condition  (see  1 .29). 

1 .44  Batt  A  Charge  Switch  Charge  switch  failing  shut  would  cause  continuous 

Fails  Shut  battery  charging  eventually  leading  to  a  battery 


over-temperature  condition 


1.45  Batt  B  Charge  Switch 

See  1.44 

Fails  Shut 

1 .46  Dll  Fails  Open  Each  charge  switch  has  two  parallel  diodes  on  the 

charge  switch  battery  output  side.  Diode  failure 
prevents  recharging  battery  A. 


1.47 

D29  Fails  Open 

See  1.46 

1.48 

Broken  Connection 

Power  bus  failure  between  switch  and  the  bus. 

1.49 

Batt  A  Chg  Switch  Input 
Fuse  Failure 

Each  switch  is  fused  on  the  input  (power  line  side). 
Fuse  failure  prevent  current  flow  through  the  switch. 

1.50 

Loss  of  +5  V  from  PCB 
to  Batt  A  Chg  Control 

No  control  power  for  switch  operations. 

1.51 

Batt  A  Chg  Switch 
Component  Failure 

The  electronic  switches  consists  of  several  discrete 
components.  Failure  of  most  any  of  them  will  cause 
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Notes 


Event  Description 


the  switch  to  fail. 

1.52 

Batt  A  Discharge  Switch 
Fails  Shut 

Battery  continuously  discharges  (not  able  to  be 
charged  although  could  be  taken  off  line). 

1.53 

Batt  A  Charge  Switch  Fail 
Shut 

See  1.45 

1.54 

Batt  A  Discharge  Switch 
Fail  Shut 

See  1.52 

1.55 

D18  Fails  Open 

Each  charge  switch  has  two  parallel  diodes  on  the 
charge  switch  battery  output  side.  Diode  failure 
prevents  recharging  battery  B. 

1.56 

D30  Fails  Open 

See  1.55 

1.57 

Broken  Connection 

See  1.48 

1.58 

Input  Fuse  Blows 

See  1.49 

1.59 

Loss  of  +5  V  from  PCB  to 
Batt  B  Chg  Control 

See  1.50 

1.60 

Batt  B  Chg  Switch 
Component  Failure 

See  1.51 

1.61 

Batt  B  Discharge  Switch 
Fails  Shut 

See  1.52 

1.62 

Batt  B  Charge  Switch  Fail 
Shut 

See  1.53 

1.63 

Batt  B  Discharge  Switch 
Fail  Shut 

See  1.52 

1.64 

Broken  Connection 

See  1.48 

1.65 

Input  Fuse  Blows 

See  1.49 

1.66 

Loss  of  +5  V  from  PCB  to 
S3  Control 

See  1.50 

1.67 

Batt  A  On-line  (S3) 
Component  Failure 

Failure  prevents  placing  battery  A  on-line. 

1.68 

Broken  Connection 

See  1.48 

1.69 

Input  Fuse  Blows 

See  1.49 

1.70 

Loss  of  +5  V  from  PCB  to 
S4  Control 

See  1.50 

1.71 

Batt  B  On-line  Switch 
(S4)  Component  Failure 

See  1.67 

1.72 

Broken  Data 

Broken  bus  from  the  PCB  wire  bundle  to  the  EPS 
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Event 


Description 


Line/Connection 

PCB  Interface  Failure 
U17 


Loss  of  +5  V  from  PCB  to 
Battery  Control 


P/S  Contingency 
Redundancy  Failure 


P/S  "A"  Failure 


P/S  "B"  Failure 


PCB  Failure 
Interconnection  Failure 


Notes  _ 


logic  board  addressing  register  Ui7. 

Failure  prevents  addressing  and  control  of  EPS 
switches. 


A  failure  of  one  +5  Volt  power  supply  could  cause  th( 
failure  of  the  redundant  power  supply. 

Failure  of  one  +5  Volt  power  supply. 


Failure  of  the  redundant  +5  Volt  power  supply. 


PCB  failure  causing  loss  of  +5  Volt  bus  to  a 
subsystem  or  component. 

PCB  connection  failure  from  bus  to  respective 
subsystem. 


Blown/Faulty  Fuse 

Each  +5  Volt  power  supply  are  fused  at  the  input  to 
regulating  circuit. 

Input  Filter  Failure 

The  +5  Volt  power  supply  contains  an  input  filter 
from  the  raw  bus  to  the  regulating  circuits. 

Output  Filter  Failure 

There  is  a  common  +5  Volt  output  filter  from  the 
power  supplies  to  the  +5  Volt  power  bus. 

Master  Current  Sensor 
Failure 

Current  sensor  located  between  launch  switches  and 
raw  power  bus.  Failure  could  prevent  power  from 
any  source  to  be  distributed  to  the  loads. 

Loss  of  +5  V  from  PCB 

No  power  from  the  +5  Volt  bus  to  the  low  threshold 
detector  circuit,  forcing  the  detector  output  low. 

Low  Threshold  Detector 
Fails  Low 

Detector  failing  low  would  prevent  resetting  WDT. 

Broken  Connection  (PCB) 

PCB  cable  failure  preventing  power  distribution  to 
other  subsystems. 

PCB  Interface  Failure 
(U17) 

See  1.73 

PCB  Bus/Connection 

Fault 

Loss  of  command  signaling  to  EPS  components  due 
to  bus  or  connection  failure. 

PCB  Interface  "U18" 
Failure 

This  is  a  command  signal  register.  Failure  would  also 
prevent  resetting  WDT. 

Loss  of  +5  V  from  PCB  to 
PCB  Interface  Ckts 

No  power  from  +5  Volt  bus  to  PCB  interface  ckt  on 
EPS  logic  board. 
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Event  Description 


1.91  Bit  Flop  in  Route 


1.92  DCS  Addressing  Error 


1.93  Logic  Circuit  "U21" 


1.94  Logic  Circuit  "U22" 

1.95  Command  Bus  Failure 
(broken  conn) 


1.96  U32:  A  Failure 


1.97  U20:  A  Failure 


1.98  U19  Failure 


1.99  U31:D  Failure 


1.100  U20:  A  Failure 


1.101  U19  Failure 


1.102  U17  Failure 


1.103  U18  Failure 


1 . 104  PCB  Bus/Connection 
Fault 


1.106 

U27:AQbar  (Pin  6)  fails 
High 

1.107 

U27:A  Q  (Pin  5)  Fails 
Low 

1.108 

U27:A  Q  bar  (Pin  6) 

Fails  Low 

1.109 

Loss  of  +5  V  from  PCB  to 
U27:A 

1.110 

P/S  Contingency 
Redundancy  Failure 

1.111 

P/S  "A"  Failure 

Notes 


Incorrect  command  signal  received  at  signal 
destination  due  to  a  bit  flop  in-route. 


Incorrect  command  signal  address  sent  by  DCS 
causing  no  (or  incorrect)  operations.  Could  be  a 
critical  failure. 


Register  failure  prevents  all  battery  operations  (both 
batteries  A  and  B). 

Register  failure  prevents  RF,  TMUX,  MASS,  and 
antenna  release  power  switch  operations. 

Broken  bus  connection  between  U 17  and  U21 
(and/or  U22)  or  from  U21/U22  to  the  power 
switches. _ 

Prevents  clocking  register  U21. 


Prevents  clocking  registers  U21  and  U22. 


Prevents  clocking  registers  U21  and  U22. 


Prevents  clocking  register  U22. 

Prevents  clocking  registers  U21  and  U22. 
Prevents  clocking  registers  U21  and  U22. 


See  1.73 


See  1.89  _ 


Prevents  command  signal  pass  to  switches  if  power 
from  the  PCB  is  lost  the  logic  registers. 


Supplies  signal  to  switch  to  energize  DCS  A 
continuously. 


Supplies  signal  to  switch  to  energize  DCS  B 
continuously. 

Prevents  signal  switching  to  energize  DCS  A. 


Prevents  signal  switching  to  energize  DCS  B. 


Cause  U27:A  outputs  (Q  and  Q  bar)  to  fail  low, 
preventing  power  from  being  applied  to  either  DCS  i 
or  DCS  B. 


See  1.76 
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Event 

Description 

Notes 

P/S  "B"  Failure 

See  1.77 

PCB  Failure 

See  1.78 

i - — — - — - 

1.114  Interconnection  Failure  See  1 .79 

1.115  Blown/Faulty  Fuse  See  1 .80 

1.116  Input  Filter  Failure  See  1.81 


1.117 

Output  Filter  Failure 

See  1.82 

1.118 

Loss  of  +5  V  from  PCB  to 
Low  Threshold  Ckt 

Cause  low  threshold  detector  to  fail  low  (see  1.85). 

1.119 

PCB  Broken  Connection 

Unable  to  reset  WDT  from  DCS  due  to  PCB 
command  signaling  bus  failure. 

PCB  Interface  "U18" 
Failure 

See  1.89 

1.121 

Loss  of  +5  V  from  PCB  to 
PCB  Interface  Ckts 

See  1.90 

1.122 

WDT  "U28"  Failure 

U28;C  failure  prevents  resetting  WDT  with  DCS  rese 
signal. 

1.123 

WDT  "U20"  Failure 

U20:B  failure  prevents  resetting  WDT  with  DCS  rese 
signal. 

1.124 

WDT  "Ul"  Failure 

Unable  to  reset  WDT,  operating  DCS  remains 
powered  until  DCS  or  power  failure  secures  power  to 
the  DCS.  Unable  to  recover. 

1 . 125  Loss  of  +5  V  from  PCB  to 
Logic  Ckts 

1 . 126  High  Threshold  Detector  High  threshold  detector  signal  failing  high  will  clear 

(>4  Volts)  all  logic  registers  and  U27:A,  causing  a  loss  of  power 

to  both  DCS  A  and  B. 

1 .127  Loss  of  +5  V  from  PCB  See  1 . 1 18 
to  Low  Threshold  Ckt 

1. 128  WDT  "U27"  Failure  U27:A  failure  could  secure  power  to  one  or  both  DCS 

subsystems.  It  is  possible  for  U27:A  to  fail  in 
condition  at  which  both  outputs  fail  high.  This  would 
both  DCS  subsystems  to  "fight"  for  spacecraft  control 

1 . 129  Loss  of  +5  V  from  PCB  to 
High  Threshold  Ckt 

1.130  P/S  Contingency  See  1.75 

Redundancy  Failure 


Event 

Description 

Notes 

1.131 

P/S  "A"  Failure 

See  1.76 

1.132 

P/S  "B"  Failure 

See  1.77 

1.133 

PCB  Failure 

See  1.78 

1.134 

Interconnection  Failure 

See  1.79 

1.135 

Blown/Faulty  Fuse 

See  1.80 

1.136 

Input  Filter  Failure 

See  1.81 

1.137 

Output  Filter  Failure 

See  1.82 

1.138 

Loss  of  +5  V  from  PCB  to 
WDT  Timing  Ckt 

Loss  of  power  to  U 1  prevents  resetting  WDT 
(see  1.122). 

1.250 

Low  Threshold  Detector 
Fails  Low 

See  1.85 

Table  A.1  Electrical  Power  Subsystem  Critical  Failure  Events 
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Event  Event 
Type 


Description 


1  event 


1  event 
1  event 
1  event 


1  event 


1  event 


1  event 


1  event 


1  event 


1  event 


1  event 


1  event 


1  event 


1  event 


CIRCLE 


CIRCLE 


CIRCLE 


DIAMOND 


DIAMOND 


DIAMOND 


DIAMOND 


DIAMOND 


DIAMOND 


DIAMOND 


CIRCLE 


CIRCLE 


DIAMOND 


DIAMOND 

DIAMOND 


CIRCLE 


CIRCLE 


CIRCLE 


1  event 


1  event 


1  event 


1  event 


1  event 


1  event 


CIRCLE 


CIRCLE 


CIRCLE 


DIAMOND 


1.1  Experimental  Current  Sensor  Failure 


1.7  Experimental  S/P  Blocking  Diode  Fails  Open 


1.8  Experimental  Panel  String  Broken 


1 . 14  Solar  Panel  Blocking  Diode  Fails  Open 

1.15  Panel  String  Broken 


1 .24  Faulty  Temp  Sensing  System  (TMUX) 


1 .25  Improper  Passive  Thermal  Control 


1 .26  Insufficient  Operator  Action 


1 .39  Battery  Monitor  Failure 
1 .43  Current/V oltage  Sensing  Ckt  Failure  U25/U26 


1.110  P/S  Contingency  Redundancy  Failure 


1.113  PCB  Failure 


1.114  Interconnection  Failure 


1.115  Blown/Faulty  Fuse 


1.116  Input  Filter  Failure 


1.117  Output  Filter  Failure 

1.118  Loss  of  +5  V  from  PCB  to  Low  Threshold  Ckt 
1 .250  Low  Threshold  Detector  Fails  Low 


1.119  PCB  Broken  Connection 


1 . 1 20  PCB  Interface  "U 1 8"  Failure 


1.121  Loss  of  +5  V  from  PCB  to  PCB  Interface  Ckts 


1.122  WDT  "U28"  Failure 


1.123  WDT  "U20"  Failure 


1.124  WDT  "Ul"  Failure 


1.125  Loss  of  +5  V  from  PCB  to  Logic  Ckts 


1 . 1 26  High  Threshold  Detector  (>4  Volts) 


1.128  WDT  "U27"  Failure 


1 . 1 29  Loss  of  +5  V  from  PCB  to  High  Threshold  Ckt 


29 

1  event 

DIAMOND 

1.138 

Loss  of  +5  V  from  PCB  to  WDT  Timing  Ckt 

30 

1  event 

DIAMOND 

1.109 

Loss  of  +5  V  from  PCB  to  U27:A 

31 

1  event 

DIAMOND 

1.83 

Master  Current  Sensor  Failure 
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Min  Event  Event 
Cut  Set  Type 
Size 


1  event  DIAMOND 


1  event  DIAMOND 


Description 


35 

1  event 

CIRCLE 

36 

1  event 

DIAMOND 

37 

1  event 

DIAMOND 

38 

1  event 

CIRCLE 

39 

1  event 

CIRCLE 

1  event 

CIRCLE 

1  event 

CIRCLE 

1  event  CIRCLE 


1  event 


46 

1  event 

CIRCLE 

47 

2  events 

CIRCLE 

CIRCLE 

48 

2  events 

CIRCLE 

CIRCLE 

49 

2  events 

CIRCLE 

CIRCLE 

50 

2  events 

CIRCLE 

CIRCLE 

51 

2  events 

CIRCLE 

CIRCLE 

52 

2  events 

CIRCLE 

CIRCLE 

53 

2  events 

DIAMOND 

CIRCLE 

54 

2  events 

DIAMOND 

CIRCLE 

Loss  of  +5  V  from  PCS  _ 


Broken  Connection  (PCB) 


PCB  Interface  Failure  (U17) 


PCB  Bus/Connection  Fault 


Bit  Flop  in  Route  _ 


DCS  Addressing  Error 


Logic  Circuit  "U21"  _ 


Logic  Circuit  "U22" _ 

Command  Bos  Failure  (broken  conn) 
U32:A  Failure  _ 


U20:  A  Failure 


U 1 9  Failure  _ 


U31:D  Failure 


U17  Failure 


U 18  Failure  _ 


S 13  Failure  _ 


SI  Failed  _ 


S 14  Failure  _ 


SI  Failed  _ 


S 1 3  Failure  _ 


S2  Failed  _ 


S 14  Failure  _ 


S2  Failed 


Batt  A  Cell  Interconnection  Broken 


Batt  B  Cell  Interconnection  Broken 


Batt  A  Cell  Internal  Connection  Broken 


Batt  B  Cell  Interconnection  Broken 


Batt  A  Cell  Reversal 


Batt  B  Cell  Interconnection  Broken 


Batt  A  Plate  Degradation 

Batt  B  Cell  Interconnection  Broken 
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Min 

Cut 

Set 

Min 
Cut  Set 
Size 

Event 

Type 

Event 

Description 

55 

2  events 

DIAMOND 

1.27 

Batt  A  Improper  Charge  Rates 

CIRCLE 

1.33 

Batt  B  Cell  Interconnection  Broken 

56 

2  events 

CIRCLE 

1.28 

Substandard  seal  construction 

CIRCLE 

1.33 

Batt  B  Cell  Interconnection  Broken 

57 

2  events 

DIAMOND 

1.32 

Battery  "A"  Current  Sensor  Failure 

CIRCLE 

1.33 

Batt  B  Cell  Interconnection  Broken 

58 

CIRCLE 

1.20 

Batt  A  Cell  Interconnection  Broken 

CIRCLE 

1.34 

Batt  B  Cell  Internal  Connection  Broken 

59 

2  events 

CIRCLE 

1.21 

Batt  A  Cell  Internal  Connection  Broken 

CIRCLE 

1.34 

Batt  B  Cell  Internal  Connection  Broken 

60 

2  events 

DIAMOND 

1.22 

Batt  A  Cell  Reversal 

CIRCLE 

1.34 

Batt  B  Cell  Internal  Connection  Broken 

61 

2  events 

Batt  A  Plate  Degradation 

CIRCLE 

1.34 

Batt  B  Cell  Internal  Connection  Broken 

2  events 

DIAMOND 

1.27 

Batt  A  Improper  Charge  Rates 

mm 

CIRCLE 

1.34 

Batt  B  Cell  Internal  Connection  Broken 

63 

2  events 

CIRCLE 

1.28 

Substandard  seal  construction 

CIRCLE 

1.34 

Batt  B  Cell  Internal  Connection  Broken 

64 

2  events 

DIAMOND 

1.32 

Battery  "A"  Current  Sensor  Failure 

CIRCLE 

1.34 

Batt  B  Cell  Internal  Connection  Broken 

65 

2  events 

1.20 

Batt  A  Cell  Interconnection  Broken 

1.35 

Sub-standard  Seal  Construction 

66 

2  events 

CIRCLE 

1.21 

Batt  A  Cell  Internal  Connection  Broken 

CIRCLE 

1.35 

Sub-standard  Seal  Construction 

67 

DIAMOND 

1.22 

Batt  A  Cell  Reversal 

CIRCLE 

1.35 

Sub-standard  Seal  Construction 

68 

DIAMOND 

1.23 

Batt  A  Plate  Degradation 

CIRCLE 

1.35 

Sub-standard  Seal  Construction 

69 

2  events 

1.27 

Batt  A  Improper  Charge  Rates 

CIRCLE 

1.35 

Sub-standard  Seal  Construction 

70 

2  events 

CIRCLE 

1.28 

Substandard  seal  construction 

Min 
Cut  Set 
Size 


2  events 


2  events 


Event 

Type 


CIRCLE 


DIAMOND 


CIRCLE 


CIRCLE 


DIAMOND 


Event 


Description 


73 

2  events 

CIRCLE 

DIAMOND 

74 

2  events 

DIAMOND 

2  events 


2  events 


2  events 


2  events 


2  events 


2  events 


2  events 


2  events 


2  events 


2  events 


2  events 


DIAMOND 


DIAMOND 

DIAMOND 

DIAMOND 


DIAMOND 


CIRCLE 

DIAMOND 


DIAMOND 


DIAMOND 


CIRCLE 


DIAMOND 


CIRCLE 


DIAMOND 


DIAMOND 

DIAMOND 

DIAMOND 


DIAMOND 


DIAMOND 


DIAMOND 

CIRCLE 


DIAMOND 


DIAMOND 

DIAMOND! 


1 .35  Sub-standard  Seal  Construction 


1.32  Battery  "A"  Current  Sensor  Failure 


1.35  Sub-standard  Seal  Construction 


1 .20  Batt  A  Cell  Interconnection  Broken 


1 .36  Batt  B  Cell  Reversal 


Batt  A  Cell  Internal  Connection  Broken 


Batt  B  Cell  Reversal 


1 .22  Batt  A  Cell  Reversal 


1.36  Batt  B  Cell  Reversal 


.23  Batt  A  Plate  Degradation 
.36  Batt  B  Cell  Reversal 
1 .27  Batt  A  Improper  Charge  Rates 


1.36  Batt  B  Cell  Reversal 


Substandard  seal  construction 


Batt  B  Cell  Reversal 


1.32  [Battery  "A"  Current  Sensor  Failure 


1 .36  Batt  B  Cell  Reversal 


1 .20  Batt  A  Cell  Interconnection  Broken 


Batt  B  Plate  Degradation 


Batt  A  Cell  Internal  Connection  Broken 


1 .37  Batt  B  Plate  Degradation 


1 .22  Batt  A  Cell  Reversal 


1 .37  Batt  B  Plate  Degradation 
1 .23  Batt  A  Plate  Degradation 


1 .37  Batt  B  Plate  Degradation 


1 .27  Batt  A  Improper  Charge  Rates 


1 .37  Batt  B  Plate  Degradation 
1.28  Substandard  seal  construction 


1.37  Batt  B  Plate  Degradation 


1 .32  Battery  "A"  Current  Sensor  Failure 
1.37  Batt  B  Plate  Degradation 
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Min 
Cut  Set 
Size 


2  events 


Event 

Type 

Event 

Description 

CIRCLE 

1.20 

Batt  A  Cell  Interconnection  Broken 

DIAMOND 

1.38 

Batt  B  Improper  Charge  Rates 

CIRCLE 

1.21 

Batt  A  Cell  Internal  Connection  Broken 

DIAMOND 

1.38 

Batt  B  Improper  Charge  Rates 

DIAMOND 

1.22 

Batt  A  Cell  Reversal 

DIAMOND 

1.38 

Batt  B  Improper  Charge  Rates 

DIAMOND 

1.23 

Batt  A  Plate  Degradation 

DIAMOND 

1.38 

Batt  B  Improper  Charge  Rates 

DIAMOND 

1.27 

Batt  A  Improper  Charge  Rates 

DIAMOND 

1.38 

Batt  B  Improper  Charge  Rates 

CIRCLE 

1.28 

Substandard  seal  construction 

DIAMOND 

1.38 

Batt  B  Improper  Charge  Rates 

DIAMOND 

1.32 

Battery  "A"  Current  Sensor  Failure 

DIAMOND 

1.38 

Batt  B  Improper  Charge  Rates 

CIRCLE 

1.20 

Batt  A  Cell  Interconnection  Broken 

DIAMOND 

1.40 

Battery  "B"  Current  Sensor  Failure 

CIRCLE 

1.21 

Batt  A  Cell  Internal  Connection  Broken 

DIAMOND 


DIAMOND 


99  2  events 


100  2  events 


101  2  events 


DIAMOND 


DIAMOND 

DIAMOND 


DIAMOND 


DIAMOND 


CIRCLE 


1.40  Battery  "B"  Current  Sensor  Failure 


1 .22  Batt  A  Cell  Reversal 


1.40  Battery  "B"  Current  Sensor  Failure 


1 .23  Batt  A  Plate  Degradation 


1 .40  Battery  "B"  Current  Sensor  Failure 


1 .27  Batt  A  Improper  Charge  Rates 

1.40  Battery  "B"  Current  Sensor  Failure 


1.28  Substandard  seal  construction 


1 .40  B  attery  "B "  Current  Sensor  Failure 


1.32  Battery  "A"  Current  Sensor  Failure 


1.40  Battery  "B"  Current  Sensor  Failure 


1.112  P/S  "B"  Failure 


1.111  P/S  "A"  Failure 


1.106  |U27:AQ  bar  (Pin  6)  fails  High 
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Min 

Cut 

Set 

Min 
Cut  Set 
Size 

Event 

Type 

CIRCLE 

102 

2  events 

CIRCLE 

1.105 


106 

3  events 

CIRCLE 

CIRCLE 

108  3  events 


CIRCLE 


CIRCLE 


CIRCLE 


CIRCLE 


CIRCLE 


CIRCLE 


CIRCLE 


Description 


U27:A  Q  (Pin  5)  fails  High 


U27:A  Q  bar  (Pin  6)  Fails  Low 
U27:A  Q  (Pin  5)  Fails  Low 


Experimental  Line  1  SP  Fuse  Blows 


[Experimental  Line  2  SP  Fuse  Blows 


Experimental  Connection  Broken 
Experimental  Line  1  EPS  Fuse  Blows 


Experimental  Line  2  SP  Fuse  Blows 


[Experimental  Connection  Broken 


[Experimental  Line  1  SP  Fuse  Blows 
Experimental  Line  2  EPS  Fuse  Blows 
Experimental  Connection  Broken 


Experimental  Line  1  EPS  Fuse  Blows 


Experimental  Line  2  EPS  Fuse  Blows 


Experimental  Connection  Broken 
Line  1  SP  Fuse  Blows 


Line  2  SP  Fuse  Blows 


Connection  Broken 


Line  1  EPS  Fuse  Blows 


Line  2  SP  Fuse  Blows 


Connection  Broken 
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3  events 

CIRCLE 

CIRCLE 

CIRCLE 

no 

3  events 

CIRCLE 

CIRCLE 

Line  1  SP  Fuse  Blows 

i 

Line  2  EPS  Fuse  Blows 

Connection  Broken 

Line  1  EPS  Fuse  Blows 

j 

Line  2  EPS  Fuse  Blows 

111  3  events 


112  3  events 


CIRCLE 

CIRCLE 

CIRCLE 


CIRCLE 


CIRCLE 


Connection  Broken 


Blocking  Diode  D20  Fails  Open 
Blocking  Diode  D9  Fails  Open 


Batt  B  Cell  Interconnection  Broken 


Blocking  Diode  D20  Fails  Open 
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Min 
Cut  Set 
Size 


Event 

Type 

Event 

Description 

CIRCLE 

1.30 

Blocking  Diode  D9  Fails  Open 

3  events 


3  events 


3  events 


3  events 


CIRCLE 


CIRCLE 


CIRCLE 


CIRCLE 


CIRCLE 


DIAMOND 


CIRCLE 


CIRCLE 


DIAMOND 


CIRCLE 


CIRCLE 


DIAMOND 


3  events 


DIAMOND 


CIRCLE 


CIRCLE 


3  events 


3  events 


3  events 


3  events 


CIRCLE 


CIRCLE 


CIRCLE 


DIAMOND 


CIRCLE 


CIRCLE 


DIAMOND 


CIRCLE 


CIRCLE 


DIAMOND 


CIRCLE 


Batt  B  Cell  Internal  Connection  Broken 


Blocking  Diode  D20  Fails  Open 


Blocking  Diode  D9  Fails  Open 


Sub-standard  Seal  Construction 


Blocking  Diode  D20  Fails  Open 


Blocking  Diode  D9  Fails  Open 


Batt  B  Cell  Reversal 


Blocking  Diode  D20  Fails  Open 


Blocking  Diode  D9  Fails  Open 


Batt  B  Plate  Degradation 


Blocking  Diode  D20  Fails  Open 


Blocking  Diode  D9  Fails  Open 


Batt  B  Improper  Charge  Rates 


117 

3  events 

CIRCLE 

1 .3 1  Blocking  Diode  D20  Fails  Open 

CIRCLE 

1 .30  Blocking  Diode  D9  Fails  Open 

Battery  "B"  Current  Sensor  Failure 


Batt  A  Cell  Interconnection  Broken 


Blocking  Diode  D28  Fails  Open 


Blocking  Diode  DIO  Fails  Open 


Batt  A  Cell  Internal  Connection  Broken 


Blocking  Diode  D28  Fails  Open 


Blocking  Diode  DIO  Fails  Open 


Batt  A  Cell  Reversal 


Blocking  Diode  D28  Fails  Open 


Blocking  Diode  DIO  Fails  Open 


Batt  A  Plate  Degradation 


Blocking  Diode  D28  Fails  Open 


Blocking  Diode  DIO  Fails  Open 


Batt  A  Improper  Charge  Rates 


Blocking  Diode  D28  Fails  Open 
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Min  Min  Event  Event  Description 

Cut  Cut  Set  Type 

Set  Size _ 

_  CIRCLE  1.41  Blocking  Diode  DIO  Fails  Open 

123  3  events  CIRCLE  1.28  Substandard  seal  construction 

_ CIRCLE  1.42  Blocking  Diode  D28  Fails  Open 

_ CIRCLE  1 .4 1  Blocking  Diode  DIO  Fails  Open 

124  3  events  DIAMOND  1.32  Battery  "A"  Current  Sensor  Failure 

CIRCLE  1.42  Blocking  Diode  D28  Fails  Open 

CIRCLE  1.41  Blocking  Diode  DIO  Fails  Open 

125  4  events  CIRCLE  1.31  Blocking  Diode  D20  Fails  Open 

CIRCLE  1.30  Blocking  Diode  D9  Fails  Open 
CIRCLE  1 .42  Blocking  Diode  D28  Fails  Open 

CIRCLE  1.41  Blocking  Diode  DIO  Fails  Open 

Table  A.2  Electrical  Power  Subsystem  Minimum  Cut  Sets 
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APPENDIX  B.  RF  SUBSYSTEM 


FAULT  TREE  ANALYSIS 


This  appendix  contains  the  raw  data  for  the  FTA  of  the  RF  subsystem.  Figure  B.l 
is  a  block  diagram  of  the  RF  subsystem  and  Fig.  B.2  is  a  depiction  of  the  antenna 
assembly.  The  RF  failure  end  events  are  listed  in  table  B.l  with  a  brief  description. 

Table  B.2  list  the  minimum  cut  sets  for  the  RF  system  generated  by  the  FaultrEASE 
software  program  for  the  PANSAT  fault  tree  in  Appendix  D. 

The  minimum  cut  sets  were  generated  using  a  direct  evaluation  technique  employed 
by  the  software  package.  The  basic  end  events  were  compared  by  their  description  label 
contents. 


103 


LUBj6B!a  >jOOia  luejsAsqns  dU  I- '9  eJnCy 


Notes 


Event 


2.1 

2.2 

2.3 

2.4 

2.5 

2.6 

2.7 

2.8 

2.9 

2.10 

2.11 

2.12 

2.14 

2.15 

2.16 

2.17 

2.18 

2.19 

2.20 

2.21 

2.22 

End  Event  Failure 

Notes 

Broken  Connection 

Refers  to  broken  connection  between  PCB  and 
PCB  interface  ckt 

PCB  Interface  Failure 

Failure  prevents  power  to  RF  components 

P/S  Contingency 

Redundancy  Failure 

Refers  to  a  of  one  +5  Volt  power  supplies 
causing  a  failure  in  the  second  (stand  by) 

+5  Volt  power  supplies.  This  is  possible  with 
current  design. 

P/S  "A"  Failure 

Failure  of  one  +5  Volt  power  supplies 
(listed  as  power  supply  A) 

P/S  "B"  Failure 

Failure  of  second  +5  Volt  power  supplies 
(listed  as  power  supply  B) 

PCB  Failure 

Failure  of  PCB  cabling  in  distribution  of  +5  Volt 

Interconnection  Failure 

Failure  of  PCB  connectors 

Blown/Faulty  Fuse 

Failure  of  +5  Volt  P/S  input  fuses 

Input  Filter  Failure 

Failure  of  +5  Volt  P/S  line  filter  from  raw  power 
bus 

Output  Filter  Failure 

Failure  of  +5  Volt  P/S  line  filter  to  +5  Volt  bus 

Conditioning  Circuit  Failure 

Conditions  power  for  local  use 

Amp  #1-1  Fail 

RF  Transmitter  section  amplifier 

Amp  #1-2  Fail 

RF  Transmitter  section  amplifier 

Amp  #2-1  Fail 

RF  Transmitter  section  amplifier 

Amp  #2-2  Fail 

RF  Transmitter  section  amplifier 

Loss  of  Raw  Bus  Power 

Loss  of  power  to  RF  transmitter  section 

RF  Switch  S3  Mechanical 
Failure 

Selects  one  of  two  cascaded  HPA's,  each  of 
which  contain  two  amplifiers 

Broken  Command  Signaling 
Bus  to  RF  S3 

No  command  signal  received  at  switch  due  to 
loss  of  conductivity  between  control  signaling 
bus  and  the  switch 

DCS  Command  Signaling 
Failure  to  RF  S3 

No  command  signal  received  at  switch  due  to 
incorrect  command  addressing  logic 

Loss  of  Power  to  RF  S3 

Loss  of  power  for  the  command  (control) 
signaling  bus  from  the  RF  PCB  Interface  Ckt 

DCS  Addressing  Error  to 
RFS3 

Incorrect  command  signal  received  at  switch  due 
to  invalid  addressing  logic 

Bit  Flop  in  Route  to  Switch 
to  RF  S3 

Incorrect  command  signal  received  at  switch 
due  to  an  address  or  command  signal  bit  flop 
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Event 

End  Event  Failure 

Notes 

in-route  from  the  DCS  to  the  switch 

2.23 

Power  Surge  to  RF  S3 

Incorrect  command  signal  received  at  the  switch 
due  to  a  power  surge  on  the  command  bus. 

2.24 

RF  S9  Switch  Mechanical 
Failure 

Selects  which  DCS  transmitter  section  the  RF 
transmitter  will  be  connected.  One  possible 
failure  is  if  the  switch  was  two  fail  in  mid 
position 

2.25  Broken  Command  Signaling 
Bus  to  RF  S9 

2.26  DCS  Command  Signaling 
Failure  to  RF  S9 

2.27  Loss  of  Power  to  RF  S9 

2.28  DCS  Addressing  Error  to 

_ RFS9 _ 

2.29  Bit  Flop  in  Route  to  Switch 

_ toRFS9 _ 

2.30  Power  Surge  to  RF  S9 

2.31  RF  S2  Switch  Mechanical  Switch  selects  one  of  two  independent  LNA's 
Failure 

2.32  Broken  Command  Signaling  Broken  command  signaling  conductivity  prevents 

Bus  to  RF  S2  commanding  and  control  of  switches 

2.33  DCS  Command  Signaling  Failure  of  command  signal  from 
Failure  to  RF  S2 

2.34  Loss  of  Power  to  RF  S2 

2.35  DCS  Addressing  Error  to  Incorrect  or  inadvertent  switch  address  sent  to 

RF  S2  EPS  logic  ckt 

2.36  Bit  Flop  in  Route  to  Switch  Incorrect  command  signal  at  switch  control  due 

to  RF  S2  to  bit  error  in-route 

2.37  Power  Surge  to  RF  S2 

2.38  RF  S2  Switch  Power  Failure 


2.39 

LNA  #1  Component  Failure 

Failure  prevents  amplification  of  receive  DSSS 
signal 

2.40 

Loss  of  Raw  Bus  Power  to 
LNA#1 

2.41 

LNA  #2  Component  Failure 

Failure  prevents  amplification  of  receive  DSSS 
signal 
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Event 


End  Event  Failure 


Loss  of  Raw  Bus  Power  to 
LNA#2 


RF  S8  Switch  Mechanical 
Failure 

Broken  Command  Signaling 
Bus  to  RF  S8 

DCS  Command  Signaling 
Failure  to  RF  S8 


Loss  of  Power  to  RF  S8 


DCS  Addressing  Error  to 
RFS8 


Bit  Flop  in  Route  to  Switch 
toRFS8 


Power  Surge  to  RF  S8 


RF  S4  Switch  Mechanical 
Failure 

Broken  Command  Signaling 
Bus  to  RF  S4 


DCS  Command  Signaling 
Failure  to  RF  S4 


Loss  of  Power  to  RF  S4 


DCS  Addressing  Error  to 
RFS4 


Bit  Flop  in  Route  to  Switch 
to  RF  S4 


Power  Surge  to  RF  S4 


High  Antenna  Coupling 
Impedance 


Notes 


Switch  selects  which  DCS  will  receive  message 
signal  _ 


Switch  routes  the  transmit  and  receive  signals 
from  and  to  the  local  oscillator  section 


Open  Primary  or  Secondary 
Windings 

High  Primary/Secondary 
Impedance 


This  failure  is  caused  by  high  impedance  of  T  cot 
connecting  the  4  dipole  antennas  to  the 
coaxial  cable  or  the  connection  of  the  coaxial 
cable  to  the  BPF  _ 


Failure  of  the  impedance  matching  transformers 
connecting  the  4  dipole  antennas  to  the  T 
connectors 

High  impedance  could  reject  or  severely 
attenuate  signal 
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Event 

End  Event  Failure 

Notes 

2.60 

Antenna  T-Connector 

Failure  (1  of  3) 

Prevents  signal  transmission  to  and  from  antenna 

2.61 

Broken  Coax  from  Feed 
System  to  BPF 

Failure  causes  loss  of  conductivity  between 
antenna  and  RF  subsystem 

2.62 

Shorted  Primary  to  Ground 

Signal  at  antenna  impedance  matching 
transformers  shorted  to  ground 

2.63 

Shorted  Secondary  to 

Ground 

Signal  at  antenna  impedance  matching 
transformers  shorted  to  ground 

2.64 

Shorted  Primary  to 
Secondary 

Changes  impedance  coupling  characteristics 

2.65 

Antenna  T-Connector 

Failure  (1  of  3) 

2.66 

Increased  Pass  Bandwidth 

Antenna  BPF  bandwidth  increases  (more  noise 
passed  throught  BPF,  lowering  the  signal  to 
noise  ratio 

2.67 

Alter  Pass  Band 
Characteristics 

Increased  noise  (lower  signal  to  noise  ratio)  due 
altered  BPF  characteristic  response  curve 

2.68 

Increased  Filter  Line 
Impedance 

Signal  strength  decreased  due  to  higher  line 
impedance  cause  by  BPF 

2.69 

Signal  Coupled  to  Ground 

Signal  strength  decreased  due  to  failure  in  BPF 
coupling  signal  to  ground 

2.70 

Broken  Signal  Path  (filter) 

Signal  path  broken  between  antenna  and  RF 
subsystem  by  BPF 

2.71 

Signal  Shorted  to  Ground 

Signal  shorted  to  ground  by  BPF 

2.72 

T/R  Switch  (SI)  Mechanical 
Failure 

Switch  select  signals  from  either  the  HPA  or 
LNA  to  the  antenna 

2.73 

Broken  Command  Signaling 
Bus  to  S 1 

2.74 

DCS  Command  Signaling 
Failure  to  SI 

2.75 

Loss  of  Command  Signaling 
Power  to  SI 

2.76 

DCS  Addressing  Error  to  SI 

2.77 

Bit  Flop  in  Route  to  Switch 
to  SI 
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Notes 


Event  End  Event  Failure 

2.78  Power  Surge  (transient 
anomaly)  to  S 1 

2.79  Antenna  Deployment 
Hardware  Circuit  Failure 

2.80  Improper  Control  Signal  Incorrect  commanding  signal  from  DCS  to 

deploy  the  dipole  antennas 

2.8 1  Control  Signal  Bus  Failure  Antenna  deployment  command  signal  does  not 

reach  deployment  circuit  due  to  command  bus 
failure _ 

2.82  Antenna  Release  Heater 
Failure 

2.83  Insufficient  Solar  Power  Power  required  to  deploy  antenna's _ 

2.84  Low  Battery  Power  Power  required  to  deploy  antenna's  (this  may  not 

be  a  valid  failure  scenerio  since  the  battery  is  not 
relied  upon  as  a  power  source  for  antenna 
deployment  _ 

2.85  Antenna  Manually  Fails  to  If  the  antenna  deployment  circuit  does  not 

Release  function,  it  is  anticipated  that  the  nylon  cords 

which  hold  the  antennas  in  place  will  eventually 
severe _ 

2.86  Antenna  Failure  (1  of  4)  Antenna  fails  due  to  mechanical  failure 

(e.g.,  broken  dipole,  antenna  seperates  from 
it's  mounting,  etc.) _ 

2.87  Antenna  Grounded  Antenna  shorts  signal  to  structure  or  system 

ground  _ 

2.88  RF  S5  Switch  Mechanical  Switch  connects  a  local  oscillator  to  RF  S4 
Failure 

2.89  Broken  Command  Signaling 

Bus  to  RF  S5  _ _ _ 

2.90  DCS  Command  Signaling 
Failure  to  RF  S5 

2.9 1  Loss  of  Power  to  RF  S5  _ _ _ 

2.92  DCS  Addressing  Error  to 

_ RFS5 _ 

2.93  Bit  Flop  in  Route  to  Switch 
toRFSS 
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Event 

End  Event  Failure 

Notes 

2.94 

Power  Surge  to  RP  S5 

2.95 

RF  S6  Switch  Mechanical 
Failure 

Switch  connects  local  oscillator  to  RF  S7 

2.96 

Broken  Command  Signaling 
Bus  to  RF  S6 

2.97 

DCS  Command  Signaling 
Failure  to  RF  S6 

2.98 

Loss  of  Power  to  RF  S6 

2.99 

DCS  Addressing  Error  to 
RFS6 

2.100 

Bit  Flop  in  Route  to  Switch 
toRFS6 

2.101 

Power  Surge  to  RF  S6 

2.102 

RF  S7  Switch  Mechanical 
Failure 

Switch  connects  signal  to/from  RF  S6  to  the 
respective  DCS  transmitter  and  receiver  sections 

2.103 

Broken  Command  Signaling 
Bus  to  RF  S7 

2.104 

DCS  Command  Signaling 
Failure  to  RF  S7 

2.105 

Loss  of  Power  to  RF  S7 

2.106 

DCS  Addressing  Error  to 
RFS7 

2.107 

Bit  Flop  in  Route  to  Switch 
toRFS7 

2.108 

Power  Surge  to  RF  S7 

2.109 

Oscillator  #1  Ckt  Failure 

Upshifts  and  downshifts  transmission  freq.  to  IF 

2.110 

Oscillator  #1  Frequency 

Drift 

Frequency  drift  could  cause  rejection  by 
bandpass  filters  or  message  distortion 

2.111 

Mixer  #1  Failure 

Conducts  frequency  upshift  and  downshift 

2.112 

Oscillator  #2  Ckt  Failure 

Upshifts  and  downshifts  transmission  frequency 
to  IF 

2.113 

Oscillator  #2  Frequency 
Drift 

Frequency  drift  could  cause  rejection  by 
bandpass  filters  or  message  distortion 

2.114 

Mixer  #2  Failure 

Conducts  frequency  upshift  and  downshift 

Table  B.1  RF  Subsystem  Critical  End  Events 
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Min 

Cut 

Set 

Min 
Cut  Set 
Size 

Event 

Type 

Event 

Description 

1 

1  event 

DIAMOND 

2.1 

Broken  Connection 

2 

DIAMOND 

2.2 

PCB  Interface  Failure 

3 

P/S  Contingency  Redundancy  Failure 

4 

1  event 

PCB  Failure 

5 

1  event 

CIRCLE 

2.7 

Interconnection  Failure 

6 

1  event 

2.8 

Blown/Faulty  Fuse 

7 

DIAMOND 

2.9 

Input  Filter  Failure 

8 

Output  Filter  Failure 

9 

1  event 

DIAMOND 

2.11 

Conditioning  Circuit  Failure 

IB 

DIAMOND 

2.16 

Loss  of  Raw  Bus  Power 

■3 

CIRCLE 

2.17 

RF  Switch  S3  Mechanical  Failure 

12 

DIAMOND 

2.18 

Broken  Command  Signaling  Bus  to  RF  S3 

13 

1  event 

DIAMOND 

2.19 

DCS  Command  Signaling  Failure  to  RF  S3 

14 

DIAMOND 

2.20 

Loss  of  Power  to  RF  S3 

15 

DIAMOND 

2.21 

DCS  Addressing  Error  to  RF  S3 

16 

1  event 

DIAMOND 

2.22 

Bit  Flop  in  Route  to  Switch  to  RF  S3 

17 

1  event 

DIAMOND 

2.23 

Power  Surge  to  RF  S3 

18 

1  event 

RF  S4  Switch  Mechanical  Failure 

19 

1  event 

Broken  Command  Signaling  Bus  to  RF  S4 

20 

1  event 

DCS  Command  Signaling  Failure  to  RF  S4 

21 

1  event 

DIAMOND 

2.53 

Loss  of  Power  to  RF  S4 

22 

1  event 

DCS  Addressing  Error  to  RF  S4 

23 

Bit  Flop  in  Route  to  Switch  to  RF  S4 

24 

DIAMOND 

2.56 

Power  Surge  to  RF  S4 

25 

1  event 

CIRCLE 

2.24 

RF  S9  Switch  Mechanical  Failure 

26 

DIAMOND 

Broken  Command  Signaling  Bus  to  RF  S9 

27 

DIAMOND 

DCS  Command  Signaling  Failure  to  RF  S9 

28 

1  event 

DIAMOND 

Loss  of  Power  to  RF  S9 

29 

1  event 

DIAMOND 

2.28 

DCS  Addressing  Error  to  RF  S9 

30 

1  event 

DIAMOND 

2.29 

Bit  Flop  in  Route  to  Switch  to  RF  S9 

31 

1  event 

DIAMOND 

2.30 

Power  Surge  to  RF  S9 
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Event 

Type 


Event 


Description 


Min 

Cut 

Set 


32 


33 


34 


Min 
Cut  Set 
Size 


1  event 


1  event 


1  event 


DIAMOND 


CIRCLE 


DIAMOND 


2.57 


2.58 


2.59 


High  Antenna  Coupling  Impedance 


Open  Primary  or  Secondary  Windings 


High  Primary/Secondary  Impedance 


35 

1  event 

DIAMOND 

2.60 

Antenna  T-Connector  Failure  (1  of  3) 

36 

1  event 

CIRCLE 

2.61 

Broken  Coax  from  Feed  System  to  BPF 

37 

1  event 

CIRCLE 

Shorted  Primary  to  Ground 

38 

CIRCLE 

2.63 

Shorted  Secondary  to  Ground 

39 

1  event 

CIRCLE 

2.64 

Shorted  Primary  to  Secondary 

40 

1  event 

CIRCLE 

2.65 

Antenna  T-Connector  Failure  (lof3) 

41 

1  event 

DIAMOND 

2.66 

Increased  Pass  Bandwidth 

42 

2.67 

Alter  Pass  Band  Characteristics 

43 

1  event 

DIAMOND 

2.68 

Increased  Filter  Line  Impedance 

44 

1  event 

DIAMOND 

2.69 

Signal  Coupled  to  Ground 

45 

1  event 

DIAMOND 

2.70 

Broken  Signal  Path  (filter) 

46 

1  event 

DIAMOND 

2.71 

Signal  Shorted  to  Ground 

47 

1  event 

CIRCLE 

2.72 

T/R  Switch  (SI)  Mechanical  Failure 

48 

1  event 

DIAMOND 

2.73 

Broken  Command  Signaling  Bus  to  SI 

49 

1  event 

DIAMOND 

2.74 

DCS  Command  Signaling  Failure  to  S 1 

1  event 

DIAMOND 

2.75 

Loss  of  Command  Signaling  Power  to  SI 

51 

1  event 

DIAMOND 

2.76 

DCS  Addressing  Error  to  SI 

52 

Bit  Flop  in  Route  to  Switch  to  SI 

53 

IlgQIll 

Power  Surge  (transient  anomaly)  to  SI 

54 

1  event 

CIRCLE 

2.86 

Antenna  Failure  (lof4) 

55 

1  event 

CIRCLE 

2.87 

Antenna  Grounded 

56 

1  event 

CIRCLE 

2.88 

RF  S5  Switch  Mechanical  Failure 

57 

DIAMOND 

2.89 

Broken  Command  Signaling  Bus  to  RF  S5 

58 

DIAMOND 

2.90 

DCS  Command  Signaling  Failure  to  RF  S5 

59 

1  event 

DIAMOND 

2.91 

Loss  of  Power  to  RF  S5 

DIAMOND 

2.92 

DCS  Addressing  Error  to  RF  S5 

61 

1  event 

DIAMOND 

2.93 

Bit  Flop  in  Route  to  Switch  to  RF  S5 

62 

1  event 

DIAMOND 

2.94 

Power  Surge  to  RF  S5 
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Event 


DIAMOND 


Description 


RF  S6  Switch  Mechanical  Failure 
Broken  Command  Signaling  Bus  to  RF  S6 


DCS  Command  Signaling  Failure  to  RF  S6 


Loss  of  Power  to  RF  S6 


DCS  Addressing  Error  to  RF  S6 


Bit  Flop  in  Route  to  Switch  to  RF  S6 


Power  Surge  to  RF  S6 


RF  S7  Switch  Mechanical  Failure 


Broken  Command  Signaling  Bus  to  RF  S7 


DCS  Command  Signaling  Failure  to  RF  S7 


Loss  of  Power  to  RF  S7 


DCS  Addressing  Error  to  RF  S7 


Bit  Flop  in  Route  to  Switch  to  RF  S7 


Power  Surge  to  RF  S7 


RF  S8  Switch  Mechanical  Failure 


Broken  Command  Signaling  Bus  to  RF  S8 


DCS  Command  Signaling  Failure  to  RF  S8 


Loss  of  Power  to  RF  S8 


DCS  Addressing  Error  to  RF  S8 


Bit  Flop  in  Route  to  Switch  to  RF  S8 


Power  Surge  to  RF  S8 


RF  S2  Switch  Mechanical  Failure 


Broken  Command  Signaling  Bus  to  RF  S2 


DCS  Command  Signaling  Failure  to  RF  S2 


Loss  of  Power  to  RF  S2 


DCS  Addressing  Error  to  RF  S2 


Bit  Flop  in  Route  to  Switch  to  RF  S2 


Power  Surge  to  RF  S2 


P/S  "B"  Failure 


P/S  "A"  Failure 


Amp  #1-1  Fail 


Min 

Cut 

Set 

Min 

Cutset 

Size 

Event 

Type 

Event 

Description 

DIAMOND 

2.14 

Amp  #2-1  Fail 

93 

2  events 

DIAMOND 

bb 

Amp  #1-2  Fail 

DIAMOND 

bb 

Amp  #2-1  Fail 

94 

2  events 

DIAMOND 

2.12 

Amp  #1-1  Fail 

DIAMOND 

2.15 

Amp  #2-2  Fail 

95 

2  events 

DIAMOND 

Amp  #1-2  Fail 

DIAMOND 

Amp  #2-2  Fail 

96 

2  events 

DIAMOND 

2.79 

Antenna  Deployment  Hardware  Circuit  Failure 

CIRCLE 

2.85 

Antenna  Manually  Fails  to  Release 

97 

2  events 

DIAMOND 

2.80 

Improper  Control  Signal 

CIRCLE 

2.85 

Antenna  Manually  Fails  to  Release 

98 

2  events 

DIAMOND 

2.81 

Control  Signal  Bus  Failure 

CIRCLE 

2.85 

Antenna  Manually  Fails  to  Release 

99 

2  events 

CIRCLE 

2.82 

Antenna  Release  Heater  Failure 

CIRCLE 

2.85 

Antenna  Manually  Fails  to  Release 

100 

2  events 

DIAMOND 

2.83 

Insufficient  Solar  Power 

CIRCLE 

Antenna  Manually  Fails  to  Release 

101 

2  events 

DIAMOND 

Low  Battery  Power 

CIRCLE 

2.85 

Antenna  Manually  Fails  to  Release 

102 

2  events 

DIAMOND 

2.109 

Oscillator  #1  Ckt  Failure 

DIAMOND 

2.112 

Oscillator  #2  Ckt  Failure 

103 

2  events 

DIAMOND 

2.110 

Oscillator  #1  Frequency  Drift 

DIAMOND 

2.112 

Oscillator  #2  Ckt  Failure 

104 

2  events 

DIAMOND 

2.111 

Mixer  #1  Failure 

DIAMOND 

2.112 

Oscillator  #2  Ckt  Failure 

105 

2  events 

DIAMOND 

2.109 

Oscillator  #1  Ckt  Failure 

DIAMOND 

2.113 

Oscillator  #2  Frequency  Drift 

2.110 

Oscillator  #1  Frequency  Drift 

DIAMOND 

2.113 

Oscillator  #2  Frequency  Drift 
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2  events 

DIAMOND 

2.111 

Mixer  #1  Failure 

DIAMOND 

2.113 

Oscillator  #2  Frequency  Drift 

115 


Min 

Cut 

Set 

Min 
Cut  Set 
Size 

Event 

Type 

Event 

Description 

108 

2  events 

DIAMOND 

2.109 

Oscillator  #1  Ckt  Failure 

DIAMOND 

2.114 

Mixer  #2  Failure 

109 

2  events 

DIAMOND 

2.110 

Oscillator#!  Frequency  Drift 

DIAMOND 

2.114 

Mixer  #2  Failure 

no 

2  events 

DIAMOND 

2.111 

Mixer  #1  Failure 

DIAMOND 

2.114 

Mixer  #2  Failure 

111 

2  events 

DIAMOND 

2.39 

LNA  #1  Component  Failure 

DIAMOND 

2.41 

LNA  #2  Component  Failure 

112 

2  events 

DIAMOND 

2.40 

Loss  of  Raw  Bus  Power  to  LNA  #1 

DIAMOND 

2.41 

LNA  #2  Component  Failure 

113 

2  events 

DIAMOND 

2.39 

LNA  #1  Component  Failure 

DIAMOND 

2.42 

Loss  of  Raw  Bus  Power  to  LNA  #2 

114 

2  events 

DIAMOND 

2.40 

Loss  of  Raw  Bus  Power  to  LNA  #1 

DIAMOND 

2.42 

Loss  of  Raw  Bus  Power  to  LNA  #2 

Table  B.2  RF  Subsystem  Minimum  Cut  Sets 


APPENDIX  C.  DIGITAL  CONTROL  SUBSYSTEM 


FAULT  TREE  ANALYSIS 

This  appendix  contains  the  raw  data  for  the  FTA  of  the  DCS.  Figure  C.  1  is  a 
functional  block  diagram  of  the  DCS.  The  DCS  failure  end  events  are  listed  in  Table  C.  1 
and  the  DCS  minimum  cut  sets  generated  by  the  FaultrEASE  software  program  for  the 
PANSAT  fault  tree  in  Appendix  D  are  listed  in  Table  C.2. 

The  minimum  cut  sets  were  generated  using  a  direct  evaluation  technique  employed 
by  the  software  package.  The  basic  end  events  were  compared  by  their  description  label 
contents.  There  are  repeated  events  listed  for  this  fault  tree,  but  each  event  is  assumed  to 
be  different  from  the  rest.  This  difference,  however,  may  only  be  in  the  failure  of 
conductivity  between  two  points.  For  example,  events  3.17  and  3.23  are  both 
microprocessor  (|1P)  failures.  The  difference  between  the  two  events  may  be  two 
different  kinds  of  jj,  P  failures  which  could  cause  different  failure  paths. 


117 


End  Event  Failure 


Notes 


3.1 


3.2 


3.3 


3.4 

3.5 


3.6 

3.7 


3.8 

3.9 
3.10 


3.11 


3.12 


3.13 


3.14 


3.15 


3.16 


3.17 

3.18 

3.19 

3.20 

3.21 


MASS  A  Failure 


MASS  B  Failure 


DCS  A  Interface  Ckt 
(PCB)  Failure 

DCS  A  uP  Failure 
DCS  A  ED  AC  Failure 


DCS  A  uP  RAM  Failure 
DCS  A  uP  ROM  Failure 


PCB  Failure  to  DCS  A 
Peripheral  Function 
Digital  Control  Ckt  Failure 


Loss  of  Raw  Bus  Power 
from  PCB  to  DCS  A 

PCB  Interface  Failure  to 
DCS  A _ 

DCS  A  SC  Logic  Board 
Power  Conditioner 
Failure 

DCS  A  Local  Oscillator 
(70  MHz)  Failure _ 

DCS  A  Transmitter  Mixer 
Failure 

DCS  A  70  MHz 
Transmitter  Output  Band 
Pass  Filter  (BPF) 

DCS  A  uP  Failure 
DCS  A  ED  AC  Failure 
DCS  A  uP  RAM  Failure 


Contains  4  Mbytes  static  RAM  and  512  Kbytes  of 
flash  memory.  Accessible  from  either  DCS. 

Contains  4  Mbytes  static  RAM  and  512  Kbytes  of 
flash  memory.  Accessible  from  either  DCS. 

Regulates  power  from  raw  power  bus  for  the  DCS 
ckt. 

Commanding  and  processing  unit  for  the  spacecraft 

Failure  may  cause  inability  to  read  from  RAM  or 
incorrect  data  transfer. 

Limits  or  prevents  uP  operations 

Failure  cause  inability  to  load  base  operating 
system _ 

PCB  Interface  ckt  failure 

All  peripheral  sub-system  functioning 

Logic  conductivity  between  uP  and  SCC  to  the 
modem  board 

No  power  for  DCS 


Unable  to  communicate  with  peripheral 
subsystems  and/or  loss  of  power  for  DCS 

Loss  of  regulated  power  for  DCS 


Freq.  modulation  to/from  IF 


Failure  result  in  inability  to  frequency  shift 
transmission  data  from  baseband  to  IF 

Failure  could  reject,  distort,  or  attenuate 
transmission  data  stream  to  RF  subsystem. 


see  3.4 
see  3.5 
see  3.6 


DCS  A  uP  ROM  Failure 


see  3.7 


DCS  A  PA  100 


Failure  prevents  demodulation  of  received  message 
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Event 

End  Event  Failure 

Notes 

PARAMAX  Failure 

information 

3.22 

DCS  A  see  Failure 

Failure  prevents  message  data  communication 
between  the  uP  and  modem  board 

3.23 

DCS  A  uP  Failure 

see  3.4 

3.24 

Message  Signal  from  RF 
Subsystem  to  DCS  A 

This  is  a  normal  event,  not  a  failure  event. 

3.25 

DCS  A  In-phase  1.5  MHz 
Cut-off  Freq.  Filter 

Failure 

In-phase  Bandpass  Filter  (base  band) 

3.26 

DCS  A  In-phase  Signal 
Buffer  Failure 

Buffers  incoming  bit  stream  for  in-phase  signal. 
Failure  could  prevent  signal  flow  or  lost  data. 

3.27 

DCS  A  In-phase  A/D 
Failure 

Analog  to  Digital  conversion  of  received  in-phase 
baseband  signal 

3.28 

DCS  A  70  MHz  Input 
Bandpass  Filter  Failure 

Failure  could  reject,  distort,  or  attenuate  the 
received  analog  IF  data  message  from  RF 
subsystem 

3.29 

DCS  A  Input  Automatic 
Gain  Control  (AGC) 
Failure 

Failure  could  prevent  signal  flow  or  incorrect 
PARAMAX  demodulation 

3.30 

DCS  A  70  MHz  Receiver 
Local  Oscillator 

Failure  would  prevent  frequency  downshift  from  IF 
to  baseband. 

3.31 

DCS  A  Power  Divider 
Failure 

Failure  could  prevent  local  oscillator  signal  to 
mixer,  therefore  no  frequency  downshift 

3.32 

DCS  A  Quad  Ckt  Input 
Mixer  Failure 

Failure  would  prevent  frequency  downshift  to 
baseband  for  quadrature  phase  signal 

3.33 

DCS  A  In-phase  Ckt  Input 
Mixer  Failure 

Failure  would  prevent  in-phase  message 
demodulation. 

3.34 

DCS  A  Receiver  Input 
Signal  Power  Divider 

see  3.31 

3.35 

DCS  A  Quad.  1.5  MHz 
Cut-off  Freq.  Filter 

Failure 

1 

Quadrature  phase  Bandpass  Filter  (base  band) 

3.36 

DCS  A  Quad.  Signal 

Buffer  Failure 

Buffers  incoming  bit  stream  for  quadrature  signal. 
Failure  could  prevent  signal  flow  or  lost  data. 

3.37 

DCS  A  Quad.  A/D  Failure 

Analog  to  Digital  conversion  of  received 
quadrature  phase  baseband  signal 
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Event 

3.38 


3.39 

3.40 

3.41 

3.42 

3.43 

3.44 


3.45 


3.46 


3.47 


3.48 


3.49 


3.50 


End  Event  Failure 

DCS  B  Interface  Ckt 
(PCB)  Failure _ 

DCS  B  uP  Failure 
DCS  B  EDAC  Failure 
DCS  B  uP  RAM  Failure 
DCS  B  uP  ROM  Failure 
PCB  Failure  to  DCS  B 

DCS  B  Digital  Control 
Ckt  Failure 

Loss  of  Raw  Bus  Power 
from  PCB  to  DCS  B 

PCB  Interface  Failure  to 
DCSB _ 

DCS  B  Logic  Board 
Power  Conditioner 
Failure 

DCS  B  Local  Oscillator 
(70  MHz)  Failure _ 

DCS  B  Transmitter  Mixer 
Failure 

DCS  B  70  MHz 


Notes 

Same  as  for  DCS  A  above 


Same  as  for  DCS  A  above 
Same  as  for  DCS  A  above 
Same  as  for  DCS  A  above 
Same  as  for  DCS  A  above 
Same  as  for  DCS  A  above 
Same  as  for  DCS  A  above 


Same  as  for  DCS  A  above 


Same  as  for  DCS  A  above 


Same  as  for  DCS  A  above 


Same  as  for  DCS  A  above 


Same  as  for  DCS  A  above 


Same  as  for  DCS  A  above 


Transmitter  Output  Band 
Pass  Filter  (BPF) 

3.51 

DCS  B  uP  Failure 

Same  as  for  DCS  A  above 

3.52 

DCS  B  EDAC  Failure 

Same  as  for  DCS  A  above 

3.53 

DCS  B  uP  RAM  Failure 

Same  as  for  DCS  A  above 

3.54 

DCS  B  uP  ROM  Failure 

Same  as  for  DCS  A  above 

3.55 

DCS  B  PA  100 
PARAMAX  Failure 

Same  as  for  DCS  A  above 

3.56 

DCS  B  see  Failure 

Same  as  for  DCS  A  above 

DCS  B  uP  Failure 

Same  as  for  DCS  A  above 

3.58 

Message  Signal  from  RF 
Subsystem  to  DCS  B 

Same  as  for  DCS  A  above 

3.59 

DCS  B  In-phase  1.5  MHz 

Same  as  for  DCS  A  above 
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Event 

End  Event  Failure 

Notes 

Cut-off  Freq.  Filter 

Failure 

3.60 

DCS  B  In-phase  Signal 
Buffer  Failure 

Same  as  for  DCS  A  above 

3.61 

DCS  B  In-phase  A/D 
Failure 

Same  as  for  DCS  A  above 

3.62 

DCS  B  70  MHz  Input 
Bandpass  Filter  Failure 

Same  as  for  DCS  A  above 

3.63 

DCS  B  Input  Automatic 
Gain  Control  (AGC) 
Failure 

Same  as  for  DCS  A  above 

3.64 

DCS  B  70  MHz  Receiver 
Local  Oscillator 

Same  as  for  DCS  A  above 

3.65 

DCS  B  Power  Divider 
Failure 

Same  as  for  DCS  A  above 

3.66 

DCS  B  Quad  Ckt  Input 
Mixer  Failure 

Same  as  for  DCS  A  above 

3.67 

DCS  B  In-phase  Ckt  Input 
Mixer  Failure 

Same  as  for  DCS  A  above 

3.68 

DCS  B  Receiver  Input 
Signal  Power  Divider 

Same  as  for  DCS  A  above 

3.69 

DCS  B  Quad.  1.5  MHz 
Cut-off  Freq.  Filter 

Failure 

Same  as  for  DCS  A  above 

3.70 

DCS  B  Quad.  Signal 

Buffer  Failure 

Same  as  for  DCS  A  above 

3.71 

DCS  B  Quad.  A/D  Failure 

Same  as  for  DCS  A  above 

Table  C.1  Digital  Control  System  Critical  Failure  Events 
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DIAMOND  3.3 
DIAMOND  3.4 


3.5 


1  event  DIAMOND  3.6 


1  event  DIAMOND  3.7 
1  event  DIAMOND  3.8 


DIAMOND  3.10 


1  event  DIAMOND  3.11 


1  event  DIAMOND  3.12 


1  event  DIAMOND  3.13 

1  event  DIAMOND  3.14 
1  event  DIAMOND  3.15 


1  event  DIAMOND  3.16 
1  event  DIAMOND  3.21 


1  event  DIAMOND  3.22 


1  event  DIAMOND  3.25 
1  event  DIAMOND  3.26 


1  event  DIAMOND  3.27 


1  event  DIAMOND  3.28 
1  event  DIAMOND  3.29 


1  event  CIRCLE 


1  event  CIRCLE 
1  event  CIRCLE 


1  event  CIRCLE 


1  event  DIAMOND  3.35 


DCS  A  Interface  Ckt  (PCB)  Failure _ 

DCS  A  uP  Failure 


DCS  A  ED  AC  Failure 


DCS  A  uP  RAM  Failure 


DCS  A  uP  ROM  Failure _ 

PCB  Failure  to  DCS  A 


DCS  A  Digital  Control  Ckt  Failure 


Loss  of  Raw  Bus  Power  from  PCB  to  DCS  A 


PCB  Interface  Failure  to  DCS  A 


DCS  A  SC  Logic  Board  Power  Conditioner 
Failure 

DCS  A  Local  Oscillator  (70  MHz)  Failure 


DCS  A  Transmitter  Mixer  Failure 


DCS  A  70  MHz  Transmitter  Output  Band  Pass 
Filter  (BPF) 


DCS  A  PA  100  PARAMAX  Failure 


DCS  A  see  Failure 


DCS  A  In-phase  1.5  MHz  Cut-off  Freq.  Filter 
Failure 

DCS  A  In-phase  Signal  Buffer  Failure 


DCS  A  In-phase  A/D  Failure 


DCS  A  70  MHz  Input  Bandpass  Filter  Failure 

DCS  A  Input  Automatic  Gain  Control  (AGC) 
Failure 


DCS  A  Power  Divider  Failure 


DCS  A  Quad  Ckt  Input  Mixer  Failure 


DCS  A  In-phase  Ckt  Input  Mixer  Failure 


DCS  A  Receiver  Input  Signal  Power  Divider 


DCS  A  Quad.  1.5  MHz  Cut-off  Freq.  Filter 
Failure 
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Min. 

Cut 

Set 

Size 


Event  Event 
Type 


DIAMOND 


DIAMOND 


1  event  DIAMOND 


DIAMOND 

DIAMOND 


CIRCLE 


CIRCLE 


Description 


DCS  A  Quad.  Signal  Buffer  Failure _ 

DCS  A  Quad.  A/D  Failure 


DCS  B  Interface  Ckt  (PCB)  Failure 


DCS  B  uP  Failure 


ODCS  B  EDAC  Failure 


DCS  B  uP  RAM  Failure 


DCS  B  uP  ROM  Failure 


PCB  Failure  to  DCS  B  _ 


DCS  B  Digital  Control  Ckt  Failure 


Loss  of  Raw  Bus  Power  from  PCB  to  DCS  B 


PCB  Interface  Failure  to  DCS  B 


DSC  B  Logic  Board  Power  Conditioner  Failure 


DCS  B  Local  Oscillator  (70  MHz)  Failure 
DCS  B  Transmitter  Mixer  Failure 


DCS  B  70  MHz  Transmitter  Output  Band  Pass 
Filter  (BPF) _ 

DCS  B  PA  100  PARAMAX  Failure _ 

DCS  B  see  Failure 


DCS  B  In-phase  1.5  MHz  Cut-off  Freq.  Filter 
Failure 


DCS  B  In-phase  Signal  Buffer  Failure 


DCS  B  In-phase  A/D  Failure 


DCS  B  70  MHz  Input  Bandpass  Filter  Failure 

DCS  B  Input  Automatic  Gain  Control  (AGC) 
Failure 


DCS  B  Power  Divider  Failure 

DCS  B  Quad  Ckt  Input  Mixer  Failure 

DCS  B  In-phase  Ckt  Input  Mixer  Failure 


DCS  B  Receiver  Input  Signal  Power  Divider 
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Description 


Min  Min. 

Cut  Cut  Event  Event 

Set  Set  Type 


Size 


52 

1  event 

DIAMOND 

3.69 

DCS  B  Quad.  1.5  MHz  Cut-off  Freq.  Filter 

Failure 

53 

1  event 

DIAMOND 

3.70 

DCS  B  Quad.  Signal  Buffer  Failure 

54 

1  event 

DIAMOND 

3.71 

DCS  B  Quad.  A/D  Failure 

55 

2  events 

DIAMOND 

3.2 

MASS  B  Failure 

DIAMOND 

3.1 

MASS  A  Failure 

Table  C.2  DCS  Minimum  Cut  Sets 
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APPENDIX  D.  PANSAT  FAULT  TREE 


This  appendix  contains  the  PANSAT  fault  tree  constructed  using  the  FaultrEASE 
software  program.  The  small  triangle  end  events  (called  transfers)  denote  the 
continuation  of  the  fault  tree  on  a  following  page.  The  letter  inside  the  transfer  symbol 
logically  link  the  pages. 
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PANSAT  CRITICAL  FAILURE 


Electrical  Power  Subsystem  (EPS) 


29 


SOLAR  PANEL  FAILURE 


LAUNCH  SWITCH  FAILURE 


STORAGE  BATTERY  FAILURE 


BATTERY  A  COMPONENT  FAILURE 


BATTERY  B  COMPONENT  FAILURE 


+5  VOLT  DUAL  POWER  SUPPLY  FAILURE 
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BATTERY  A  CHARGE  SYSTEM  FAILURE 


BATTERY  B  CHARGE  SYSTEM  FAILURE 
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BATTERY  ON-LINE  SWITCH  FAILURE 


139 


EPS  LOGIC  BOARD  FAILURE 


WATCHDOG  TIMER  COMMAND  RESET  FAILURE 


WATCHDOG  TIMER  AUTOMATIC  RESET  FAILURE 


THRESHOLD  DETECTOR  FAILURE 


HIGH  TRESHOLD  DETECTOR  FAILURE 


RF  SUBSYSTEM  FAILURE 


9fl 


RF  RECEIVER  CIRCUIT  FAILURE 


RF  S4  Switch  SP4T 
Switch  Failure 


RF  TRANSMITTER  CIRCUIT  FAILURE 


091- 


RF  TRANSMITTER  CIRCUIT  SWITCHING  FAILURE 


151 


ANTENNA  CIRCUIT  FAILURE 


ANTENNA  FEED  SYSTEM  FAILURE 


153 


RF  SIGNAL  SWITCHING  FAILURE 


155 


Digital  Control  Subsystem  Failure 


DCS  A  COMMUNICATION  FAILURE 


157 


DCS  A  MODEM  BOARD  FAILURE 


DCS  B  COMMUNICATION  FAILURE 


CS  B  MODEM  BOARD  FAILURE 
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